Tiny patch concerning SPNEGO and RFC4178

Goldberg, Neil R. ngoldber at mitre.org
Fri Dec 3 12:10:00 MST 2010

The attached patch against the 3.5.x series changes the way smbd hints the client during the negotiation phase with a configuration flag.

This patch makes the "not_defined_in_RFC4178 at please_ignore" string the hint instead of composing a principal based on the FQDN if you add the global config boolean:
use rfc4178 hint = yes
It defaults to no, which is the old behavior.

I experienced inconsistencies in Windows workstation service behavior (across 2000-2008R2) in selecting an encryption method when the principal provided (if not the please_ignore) did not match any SPNs that corresponded to the machine account (which was aliased in a complex way in DNS). This change made all the clients behave the same way.

Setting this option would break the case of a simple DNS alias without an SPN added for a simple member Samba server when contacted by a 2000 Workstation or pre SP2 (SP3?) XP client that wanted to use Kerberos and not fall back to NTLMSSP.

-Neil Goldberg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: use_rfc4178_hint.patch
Type: application/octet-stream
Size: 3122 bytes
Desc: use_rfc4178_hint.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101203/3864e72a/attachment.obj>

More information about the samba-technical mailing list