diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-12-04 14:11:57 +1100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-12-10 16:08:30 +1100 |
| commit | b3c2df5e0d0ba1c17c3248bf9d238de3c54613ef (patch) | |
| tree | 4ea83abb3d8669287b69658ec3a6fcde6cad29d6 /source3/smbd | |
| parent | bb7806283e71f3b8029aae0eed326b5847a36d83 (diff) | |
| download | samba-b3c2df5e0d0ba1c17c3248bf9d238de3c54613ef.tar.gz samba-b3c2df5e0d0ba1c17c3248bf9d238de3c54613ef.tar.bz2 samba-b3c2df5e0d0ba1c17c3248bf9d238de3c54613ef.zip | |
s3-smbd Don't send SPNEGO principal (rfc4178 hint) by default
This patch, based on the suggestion by Goldberg, Neil R. <ngoldber@mitre.org>
turns off the sending of the principal in the negprot by default, matching
Windows 2008 behaviour.
This slowly works us back from this hack, which from an RFC
perspective was never the right thing to do in the first place, but we
traditionally follow windows behaviour. It also discourages client
implmentations from relying on it, as if they do they are more open to
man-in-the-middle attacks.
Andrew Bartlett
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/negprot.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index a0c1d2594f..443fac4b4b 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -213,6 +213,9 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) /* Code for standalone WXP client */ blob = spnego_gen_negTokenInit(ctx, OIDs_ntlm, NULL, "NONE"); #endif + } else if (!lp_send_spnego_principal()) { + /* By default, Windows 2008 and later sends not_defined_in_RFC4178@please_ignore */ + blob = spnego_gen_negTokenInit(ctx, OIDs_krb5, NULL, ADS_IGNORE_PRINCIPAL); } else { fstring myname; char *host_princ_s = NULL; |