[Samba] How does AD/SMB clients authenticate servers?

Michael Tokarev mjt at tls.msk.ru
Tue Nov 29 17:03:34 UTC 2022

29.11.2022 02:12, Andrew Bartlett via samba wrote:
> I wanted to write more (and may get a chance to later) but this is it.
> Just like certificates in a browser, the name in the URL bar, must
> match the certificate exactly, and one certificate can have many names.
> So no matter what (untrusted) DNS does under the hood, the name in the
> UNC path is the name that the SPN must be for.
> That it works without a SPN-registered name is down to NTLM fallback,
> which has much weaker protection, and all servers can impersonate each
> other (to an extent).

Yes, this is exactly what I was asking.  In the lack of EXPLICIT SPN (which
is created by samba-tool domain join if smb.conf has netbios aliases set -
a proper SPN is created for each name listed in there), there will be no
protection against impersonation and hijacking.

It is not "my problem" really.  It just appears to be a little-known fact,
many people out there on this list who suggest using CNAMES missed this
very point, that besides a CNAME, a corresponding SPN needs to be created
*too*, - this is not done automatically.

Some people don't even understand that a *server* needs to be authenticated
by a client too.

Thank you for the answer, Andrew - as always very useful and exactly
to the point.


More information about the samba mailing list