On Tue, 2008-06-10 at 11:52 -0700, Richard Guthrie wrote: > Andrew, > > In response to question 1, 2 & 3 involving the MS-SNTP document, section > 3.2.5 specifies the following: > > If the server fails to retrieve the cryptographic keys or to compute the > crypto-checksum, the server SHOULD<16> fail the authentication and ignore the > request without responding. > > Note 16 further clarifies the behavior of a couple of flavors of the server > operating system as: > > <16> Section 3.2.5: Windows NTP servers in Windows 2000, Windows XP, and > Windows Server 2003 do not honor the above "SHOULD". Instead, they respond to > the request. In Windows 2000, the server responds with a Server NTP Response > message without an Authenticator field if authentication fails. In Windows XP > and Windows Server 2003, the server responds with a Server NTP Response > message that includes an Authenticator field in which the Crypto-Checksum > subfield is set to zero. > In Windows Server 2008, in the case of the read-only domain controller (RODC) > as the server, if the RODC does not store the cryptographic key locally, the > server validates the RID. If the RID identifies a valid object, the server > forwards the original Client NTP Request message to its own time source, > which must be a writable domain controller. The writable domain controller > that has the cryptographic key authenticates the client's request instead. On > receiving the response from the writable domain controller, the RODC forwards > the response to the client. This process is known as "chaining". If the RID > is not identified as a valid object, the server fails the authentication and > ignores the request without responding. > > In addition you can reference section 3.5.4.7.2 of the MS-NRPC > documentation which discusses invalid accounts or accounts that could > not be found. This covers what the response should look like when > authentication fails which I think answers question 3 and the behavior > when the account is disabled.
As alternate implementations do not need to call NetrLogonComputeServerDigest (nor is this referenced in the spec) can you please move or reference the discussion of how accounts are described as 'invalid' to the SNTP doc? > Let me know if closes these issues. As it appears the only control is on accounts marked disabled, the security section needs to detail the attacks that should be considered against accounts that are expired or otherwise unavailable, but not marked 'disabled'. (Unless of course machine accounts are not subject to such restrictions, in which case it should be clarified). Regardless (but perhaps you are dealing with this separately) the issue of offline password attacks needs to be considered in the security section. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
