Tiny patch concerning SPNEGO and RFC4178
Andrew Bartlett
abartlet at samba.org
Fri Dec 3 15:46:50 MST 2010
On Sat, 2010-12-04 at 09:40 +1100, Andrew Bartlett wrote:
> On Fri, 2010-12-03 at 14:10 -0500, Goldberg, Neil R. wrote:
> > The attached patch against the 3.5.x series changes the way smbd hints the client during the negotiation phase with a configuration flag.
>
> The problem I have with this patch is that the previous behaviour was
> against the relevant RFC, but we followed the Microsoft behaviour.
I'm sorry. As I re-read the patch after I sent that mail, I clearly got
completely the wrong sense of this.
I fully support your patch, but it should be for 3.6, and be on by
default. Additionally we should have the same or a similar switch
control our clients use of this value.
> Even more of a problem is that there are clients, including our own,
> which used this value, as it does present opportunities for
> man-in-the-middle attacks.
>
> Now that Microsoft has moved to follow the updated RFC in this area, I
> strongly prefer that we continue to follow suit. This particular
> feature (sending a target principal) should never have been implemented,
> and it should not be revived.
That is (sorry), that your patch does exactly the right thing, but we
should be more aggressive for 3.6 (on by default).
> We also need to stop our client tools and libraries using these values,
> but that's a separate matter.
Sorry for the previous mail.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/fb8e8ad8/attachment.pgp>
More information about the samba-technical
mailing list