Finishing up the new nads join code [was Re: svn commit: samba
r15543...]
Gerald (Jerry) Carter
jerry at samba.org
Thu May 18 04:22:00 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gerald (Jerry) Carter wrote:
> Just an update on where things stands. Currently know open
> issues are:
>
> * Setting the SPN when the Samba host's DNS domain
> is outside of Windows realm does not work (nor does it
> work on Windows 2000). The fix is to not use the
> permissive modify control. But currently libads/ldap.c
> tags this onto every request.
The answer here is that WinXP (unlike Win2k) uses the user
creds to set the dNSHostName and the servicePrincipalName
attributes. But in order to do a non-validated write to
either attribute (the hostname is more important actually),
you have to be a domain admin. This is *exactly how it
works with a WinXP client.
More information on validated writes can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp
I also experimented with the LDAP signing. This is simply
a kerb5 HMAC-MD5 signature on the GSS-API payload.
To experiment with this, make sure your tickets are encrypted
with RC4-HMAC (or you will only get DES signatures, but not
sure that this matters as far as the domain policy is
concerned ) and then run OpenLDAP's search:
$ ldapsearch -O maxssf=1 -Y GSSAPI -b '' -s base \
-h windc.domain.com '(objectclass=*)'
We can do this in Samba 3, but will have to implement
support in our own SASL code and need to make use
of gss_wrap()/gss_unwrap(). The krb5/gss code already
works as far as I can tell.
> * 'net ads leave' will require user creds. The only reason
> that this formerly worked is that we explicitly added
> the machine's SID to the security descriptor on the computer
> object. But you have to have domain admin privileges to
> do this. Hence the need to rewrite it to simply disable
> the account (just like Windows).
Still todo.
> * Setting the UPN. Still thinking about this one...
Tossing this one out and will make use of the
sAMAccountName instead.
> * Using a pre-existing tkt cache is broken (segv: easy fix)
Still broken. Will fix this tomorrow.
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFEa/ZnIR7qMdg1EfYRAod2AJ9qdaevpr9Qp/eo+06bhChineGXygCgvx+y
rLWeCUHXochufv9/6ocfFEc=
=wD1e
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list