kvno failed with recent samba4
Andrew Bartlett
abartlet at samba.org
Sun Feb 8 20:11:39 GMT 2009
On Sun, 2009-02-08 at 13:15 +0300, Matthieu Patou wrote:
> On 02/08/2009 09:51 AM, Andrew Bartlett wrote:
> > On Sat, 2009-02-07 at 10:20 -0500, Love Hörnquist Åstrand wrote:
> >
> >> 7 feb 2009 kl. 08:34 skrev Matthieu Patou:
> >>
> >>
> >>> In fact my question was more: why the same command works quietly
> >>> against
> >>> a Windows 2003 AD and fail against a fairly recent samba4.
> >>>
> >> Diffrent default settings ?
> >>
> >
> > Correct. Samba4 does not allow this by default. I think adding a
> > servicePrincipalName might be the fix (or if is not, that is what I'll
> > make the trigger). Allowing this by default allows offline attacks on a
> > user's password otherwise.
> >
> >
> Can you develop this point ? I mean about offline attack ? and being
> able to get kvno through
> kvno ldap/test at SMB4.TST is not a security issue ?
It is an identical issue, but it is assumed that machine accounts are
more likely to have strong passwords than user accounts.
> >> ldap/<hostname.of.ad.server> should do it, or<hostname>$@REALM should
> >> also work.
> >>
> >
> > Certainly this should work for any user account.
> >
> Yes It works, thanks for the tip love.
>
> Matthieu.
>
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090209/4f4e8ea5/attachment.bin
More information about the samba-technical
mailing list