kvno failed with recent samba4
Matthieu Patou
mat+Informatique.Samba at matws.net
Sun Feb 8 10:15:12 GMT 2009
On 02/08/2009 09:51 AM, Andrew Bartlett wrote:
> On Sat, 2009-02-07 at 10:20 -0500, Love Hörnquist Åstrand wrote:
>
>> 7 feb 2009 kl. 08:34 skrev Matthieu Patou:
>>
>>
>>> In fact my question was more: why the same command works quietly
>>> against
>>> a Windows 2003 AD and fail against a fairly recent samba4.
>>>
>> Diffrent default settings ?
>>
>
> Correct. Samba4 does not allow this by default. I think adding a
> servicePrincipalName might be the fix (or if is not, that is what I'll
> make the trigger). Allowing this by default allows offline attacks on a
> user's password otherwise.
>
>
Can you develop this point ? I mean about offline attack ? and being
able to get kvno through
kvno ldap/test at SMB4.TST is not a security issue ?
>> ldap/<hostname.of.ad.server> should do it, or<hostname>$@REALM should
>> also work.
>>
>
> Certainly this should work for any user account.
>
Yes It works, thanks for the tip love.
Matthieu.
More information about the samba-technical
mailing list