[Samba] How does AD/SMB clients authenticate servers?
Michael Tokarev
mjt at tls.msk.ru
Tue Nov 29 17:03:34 UTC 2022
29.11.2022 02:12, Andrew Bartlett via samba wrote:
..
> I wanted to write more (and may get a chance to later) but this is it.
>
> Just like certificates in a browser, the name in the URL bar, must
> match the certificate exactly, and one certificate can have many names.
>
> So no matter what (untrusted) DNS does under the hood, the name in the
> UNC path is the name that the SPN must be for.
>
> That it works without a SPN-registered name is down to NTLM fallback,
> which has much weaker protection, and all servers can impersonate each
> other (to an extent).
Yes, this is exactly what I was asking. In the lack of EXPLICIT SPN (which
is created by samba-tool domain join if smb.conf has netbios aliases set -
a proper SPN is created for each name listed in there), there will be no
protection against impersonation and hijacking.
It is not "my problem" really. It just appears to be a little-known fact,
many people out there on this list who suggest using CNAMES missed this
very point, that besides a CNAME, a corresponding SPN needs to be created
*too*, - this is not done automatically.
Some people don't even understand that a *server* needs to be authenticated
by a client too.
Thank you for the answer, Andrew - as always very useful and exactly
to the point.
/mjt
More information about the samba
mailing list