problem accessing domain-based DFS with kerberos auth
Stefan Metzmacher
metze at samba.org
Fri Jan 13 13:57:26 UTC 2017
Hi Aurélien,
> Alexander Bokovoy <ab at samba.org> writes:
>> I guess it then uses the DC hostname for further communications after it
>> got the closest site's DC data in CLDAP ping response.
>
> So if I understand correctly, this is different from the insecure
> mechanism that was discussed previously [1] and is not implemented yet
> by smbclient?
>
> 1: https://lists.samba.org/archive/linux-cifs-client/2008-August/003357.html
One thing I noticed is that ldap/w2012.suse.de/suse.de is used as
service principal name for the ldap authentication.
I'm not sure but [MS-ADTS] 3.1.1.5.3.1.1.4 servicePrincipalName
seems to make sure that three-part SPN values are only allowed
to be added by domain controllers on their own object (or by an
administrator).
That would imply that converting an unc like
\\suse.de\share
to an spn like this:
ldap/w2012.suse.de/suse.de
is safe even if w2012.suse.de comes from an untrusted source
like a CLDAP query. As such an spn can only be added by trusted accounts
like RWDCs or administrators.
It would be interesting to see what a client does when it tries to access
an unc like:
\\dfsmember.example.com\share
in a situation where suse.de has a forest trust to example.com
and it's unclear (to the client in suse.de) if dfsmember.example.com is an
ad domain or not.
This should be compared to an unc like:
\\childdomain.example.com\share
where childdomain.example.com is a childdomain in
the example.com forest.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170113/cd423185/signature.sig>
More information about the samba-technical
mailing list