[Samba] How does AD/SMB clients authenticate servers?

Andrew Bartlett abartlet at samba.org
Mon Nov 28 23:12:19 UTC 2022

On Mon, 2022-11-28 at 12:01 -0800, Kris Lou via samba wrote:
> > (and it seems my setup with the same name to mean different
> > thingsdepending on the location based on overriding CNAMEs does not
> > workfor this reason: validity of such server can't be verified, and
> > theclients can - in theory - be tricked to access wrong, malicious
> > serverinstead of the right one, unless I'll do it some other way).
> My (very incomplete) understanding is CNAMES work, as they then
> usereferred SPN instead of the CNAME.So, your problem might be that 
> FS/CIFS at DOMAIN.tld is already an existingprincipal in AD, instead of
> global CNAME that only exists in DNS?
> -Kris

I wanted to write more (and may get a chance to later) but this is it. 

Just like certificates in a browser, the name in the URL bar, must
match the certificate exactly, and one certificate can have many names.

So no matter what (untrusted) DNS does under the hood, the name in the
UNC path is the name that the SPN must be for.

That it works without a SPN-registered name is down to NTLM fallback,
which has much weaker protection, and all servers can impersonate each
other (to an extent).


Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions

More information about the samba mailing list