[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mechglue
On Mon, 24 Oct 2005 06:52:36 +1000
Andrew Bartlett <abartlet@samba.org> wrote:
> On Sun, 2005-10-23 at 13:05 -0400, Michael B Allen wrote:
> > On Sun, 23 Oct 2005 22:41:57 +1000
> > Andrew Bartlett <abartlet@samba.org> wrote:
> >
> > > On Sat, 2005-10-22 at 22:55 -0400, Michael B Allen wrote:
> > >
> > > > 3) This one's a little CIFS specific but the
> > > > spnego/accept_sec_context.c:send_supported_mechs function sends
> > > > the quark$@FOO.NET style name in negHints but I see Samba returns
> > > > cifs/quark.foo.net@FOO.NET. What is the difference between these service
> > > > principal types? Is the first NetBIOS based (port 139 only) and the
> > > > other DNS based (port 445 only)?
> > >
> > > Samba3 did send the previous form, matching windows until very recently,
> > > when I changed it, because only samba clients read that feild, I thought
> > > it gave better behaviour on the network. I didn't intend it to get into
> > > the release, but once it was in it was decided it wasn't doing any harm.
> > >
> > > Samba4 again matches windows and sends the former form, but does not use
> > > that value in the client.
> >
> > Oops, I was using that to create the target_name for GSSAPI
> > init_sec_context. Are you *SURE* clients don't use it? Then I wonder
> > what purpose it serves.
>
> My understanding is that it is useful, and insecure. One of the things
> that makes kerberos fairly secure is that the KDC controls what hosts
> may be contacted: A host outside your network cannot ask to be
> authenticated to with kerberos, expecting a ticket of a trusted host
> inside your network, as your KDC won't know the name.
Mmm, so, for example, if I connect to a machine called "extdata" that is
not a member of my Kerberos realm (or a trusted realm) and it malicously
replies with this negHints field set to the name of a machine that IS
in my Kerberos realm, then I will inadvertantly send a token that it
can then try to crack in some way?
> When using this target_name, the client bypasses this, any any host can
> ask to be sent tickets intended for any other host. On a practical
> standpoint, this value may not always be available and I wanted
> consistent behaviour cross-protocol.
Then perhaps we should just leave it out altogether?
Otherwise, what is the proper SPN to be used with target_name? Is it
always the first label of the DNS name + '$' + '@' + 'REALM'?
Also, when Samba started using cifs/<fqdn>@REALM, did users have to
suddently start using these Samba-ized SPNs with their Windows KDCs
and keytabs?
Mike