Tiny patch concerning SPNEGO and RFC4178

Andrew Bartlett abartlet at samba.org
Fri Dec 3 15:46:50 MST 2010


On Sat, 2010-12-04 at 09:40 +1100, Andrew Bartlett wrote:
> On Fri, 2010-12-03 at 14:10 -0500, Goldberg, Neil R. wrote:
> > The attached patch against the 3.5.x series changes the way smbd hints the client during the negotiation phase with a configuration flag.
> 
> The problem I have with this patch is that the previous behaviour was
> against the relevant RFC, but we followed the Microsoft behaviour.  

I'm sorry.  As I re-read the patch after I sent that mail, I clearly got
completely the wrong sense of this.  

I fully support your patch, but it should be for 3.6, and be on by
default.  Additionally we should have the same or a similar switch
control our clients use of this value. 

> Even more of a problem is that there are clients, including our own,
> which used this value, as it does present opportunities for
> man-in-the-middle attacks. 
> 
> Now that Microsoft has moved to follow the updated RFC in this area, I
> strongly prefer that we continue to follow suit.  This particular
> feature (sending a target principal) should never have been implemented,
> and it should not be revived. 

That is (sorry), that your patch does exactly the right thing, but we
should be more aggressive for 3.6 (on by default). 

> We also need to stop our client tools and libraries using these values,
> but that's a separate matter. 

Sorry for the previous mail.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/fb8e8ad8/attachment.pgp>


More information about the samba-technical mailing list