[Samba] How does AD/SMB clients authenticate servers?

Kees van Vloten keesvanvloten at gmail.com
Tue Nov 29 18:21:02 UTC 2022 

On 29-11-2022 18:03, Michael Tokarev via samba wrote:
> 29.11.2022 02:12, Andrew Bartlett via samba wrote:
> ..
>> I wanted to write more (and may get a chance to later) but this is it.
>>
>> Just like certificates in a browser, the name in the URL bar, must
>> match the certificate exactly, and one certificate can have many names.
>>
>> So no matter what (untrusted) DNS does under the hood, the name in the
>> UNC path is the name that the SPN must be for.
>>
>> That it works without a SPN-registered name is down to NTLM fallback,
>> which has much weaker protection, and all servers can impersonate each
>> other (to an extent).
>
> Yes, this is exactly what I was asking.  In the lack of EXPLICIT SPN 
> (which
> is created by samba-tool domain join if smb.conf has netbios aliases 
> set -
> a proper SPN is created for each name listed in there), there will be no
> protection against impersonation and hijacking.
>
> It is not "my problem" really.  It just appears to be a little-known 
> fact,
> many people out there on this list who suggest using CNAMES missed this
> very point, that besides a CNAME, a corresponding SPN needs to be created
> *too*, - this is not done automatically.
>
> Some people don't even understand that a *server* needs to be 
> authenticated
> by a client too.
>
> Thank you for the answer, Andrew - as always very useful and exactly
> to the point.
>
> /mjt
>
Don't forget that if the name in a UNC path matches to a 
computer-account name, there are a lot of default SPNs readily available.
The is SPN service-names can be found here: "CN=Directory 
Service,CN=Windows NT,CN=Services,CN=Configuration,DC=example,DC=com", 
it returns this list:

sPNMappings: 
host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicat
  or,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,i
  as,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstora
  ge,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclog
  on,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,ww
  w,http,w3svc,iisadmin,msdtc

Passing an SPN like  "cifs/myserver.example.com" to myserver will be 
valid. And this is how an smb-client calls the smb-server when 
requesting something from a share (when client has a kerberos-ticket of 
course).

If your machine is reachable at something else then its own name, you 
would need to define the SPN explicitly, similar to the creation of an 
extra DNS entry and possibly a x509 cert with that name.

- Kees

More information about the samba mailing list