From bb7806283e71f3b8029aae0eed326b5847a36d83 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 4 Dec 2010 13:48:37 +1100 Subject: s3-libads Default to NOT using the server-supplied principal from SPNEGO This principal is not supplied by later versions of windows, and using it opens up some oportunities for man in the middle attacks. (Becuase it isn't the name being contacted that is verified with the KDC). This adds the option 'client use spnego principal' to the smb.conf (as used in Samba4) to control this behaivour. As in Samba4, this defaults to false. Against 2008 servers, this will not change behaviour. Against earlier servers, it may cause a downgrade to NTLMSSP more often, in environments where server names are not registered with the KDC as servicePrincipalName values. Andrew Bartlett --- source3/param/loadparm.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source3/param') diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 0bc27dca03..05958b47d2 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -338,6 +338,7 @@ struct global { bool bClientNTLMv2Auth; bool bClientPlaintextAuth; bool bClientUseSpnego; + bool client_use_spnego_principal; bool bDebugPrefixTimestamp; bool bDebugHiresTimestamp; bool bDebugPid; @@ -1398,6 +1399,15 @@ static struct parm_struct parm_table[] = { .enum_list = NULL, .flags = FLAG_ADVANCED, }, + { + .label = "client use spnego principal", + .type = P_BOOL, + .p_class = P_GLOBAL, + .ptr = &Globals.client_use_spnego_principal, + .special = NULL, + .enum_list = NULL, + .flags = FLAG_ADVANCED, + }, { .label = "username", .type = P_STRING, @@ -5711,6 +5721,7 @@ FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap) FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions) FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego) FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego) +FN_GLOBAL_BOOL(lp_client_use_spnego_principal, &Globals.client_use_spnego_principal) FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups) FN_LOCAL_PARM_BOOL(lp_change_notify, bChangeNotify) FN_LOCAL_PARM_BOOL(lp_kernel_change_notify, bKernelChangeNotify) -- cgit