Finishing up the new nads join code [was Re: svn commit: samba r15543...]

Gerald (Jerry) Carter jerry at samba.org
Thu May 18 04:22:00 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerald (Jerry) Carter wrote:

> Just an update on where things stands.  Currently know open
> issues are:
> 
> * Setting the SPN when the Samba host's DNS domain
>   is outside of Windows realm does not work (nor does it
>   work on Windows 2000).  The fix is to not use the
>   permissive modify control.  But currently libads/ldap.c
>   tags this onto every request.

The answer here is that WinXP (unlike Win2k) uses the user
creds to set the dNSHostName and the servicePrincipalName
attributes.  But in order to do a non-validated write to
either attribute (the hostname is more important actually),
you have to be a domain admin.  This is *exactly how it
works with a WinXP client.

More information on validated writes can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp

I also experimented with the LDAP signing.  This is simply
a kerb5 HMAC-MD5 signature on the GSS-API payload.
To experiment with this, make sure your tickets are encrypted
with RC4-HMAC (or you will only get DES signatures, but not
sure that this matters as far as the domain policy is
concerned ) and then run OpenLDAP's search:

$ ldapsearch -O maxssf=1 -Y GSSAPI -b '' -s base \
  -h windc.domain.com '(objectclass=*)'

We can do this in Samba 3, but will have to implement
support in our own SASL code and need to make use
of gss_wrap()/gss_unwrap().  The krb5/gss code already
works as far as I can tell.

> * 'net ads leave' will require user creds.  The only reason
>   that this formerly worked is that we explicitly added
>   the machine's SID to the security descriptor on the computer
>   object.  But you have to have domain admin privileges to
>   do this.  Hence the need to rewrite it to simply disable
>   the account (just like Windows).

Still todo.

> * Setting the UPN.  Still thinking about this one...

Tossing this one out and will make use of the
sAMAccountName instead.

> * Using a pre-existing tkt cache is broken (segv: easy fix)

Still broken.  Will fix this tomorrow.






cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEa/ZnIR7qMdg1EfYRAod2AJ9qdaevpr9Qp/eo+06bhChineGXygCgvx+y
rLWeCUHXochufv9/6ocfFEc=
=wD1e
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list