Tiny patch concerning SPNEGO and RFC4178

Andrew Bartlett abartlet at samba.org
Fri Dec 3 15:40:26 MST 2010


On Fri, 2010-12-03 at 14:10 -0500, Goldberg, Neil R. wrote:
> The attached patch against the 3.5.x series changes the way smbd hints the client during the negotiation phase with a configuration flag.

The problem I have with this patch is that the previous behaviour was
against the relevant RFC, but we followed the Microsoft behaviour.  

Even more of a problem is that there are clients, including our own,
which used this value, as it does present opportunities for
man-in-the-middle attacks. 

Now that Microsoft has moved to follow the updated RFC in this area, I
strongly prefer that we continue to follow suit.  This particular
feature (sending a target principal) should never have been implemented,
and it should not be revived. 

We also need to stop our client tools and libraries using these values,
but that's a separate matter. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/2e5b5f7d/attachment.pgp>


More information about the samba-technical mailing list