samba 4 TP3 and Windows SSPI
Andrew Bartlett
abartlet at samba.org
Thu Nov 9 23:37:56 GMT 2006
On Thu, 2006-11-09 at 17:33 +0300, Joshua Masiko wrote:
> DsWriteAccountSpn allows you to de-couple the way the client connects from
> the account the server is running under
>
> it basically maps a service principal name to the server account such that
> in InitializeSecurityContext the client can specify the SPN as the target
> without knowing the account under which the server is running. Details are
> on MSDN online.
Looks like a mere matter of implementation, we appear to have figured
out the IDL.
> Which brings me to another problem.
> When running the server under any domain account other than
> localsystem(e.gjoshua) InitializeSecurityContext fails. A look at the
> Samba log shows
> Kerberos: Principal may not act as server -- joshua at YOUR.REALM
>
> Runnning the server under the localsystem account works since it uses the
> machine account and one can use DOMAIN\machinename$ as the target in
> InitializeSecurityContext.
Very interesting. That is an additional restriction that I added, to
prevent offline attacks against user passwords.
If you add a service principal name, it will work, but perhaps this is
why Microsoft still allows this by default.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061110/713a6b6e/attachment.bin
More information about the samba-technical
mailing list