Hello again Andrew - I have a 'short' answer for you. Windows 2008 does the following additional checks:
1. NETLOGON_WORKSTATION_INFO.DnsHostName and ComputerName match appropriately (re: trailing '$' on ComputerName) 2. NETLOGON_WORKSTATION_INFO.DnsHostName suffix is checked against msDS-AllowedDNSSuffixes. I can't at the moment be more complete, without exercising NetrLogonGetDomainInfo against 2000, 2003 and so on. I hesitate to attempt a description against code hand-checks, as it is just too easy to miss something. Do you have any test software already configured to do that? Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -----Original Message----- From: Bill Wesse Sent: Wednesday, August 26, 2009 9:05 AM To: 'Andrew Bartlett' Cc: [email protected]; [email protected]; Matthias Dieter Wallnöfer Subject: RE: [cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015) I will look into Windows 2008 behavior on this and get back to you as soon as I can; I expect to be able to start later today. Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Tuesday, August 25, 2009 8:35 PM To: Bill Wesse Cc: [email protected]; [email protected]; Matthias Dieter Wallnöfer Subject: RE: [cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015) On Tue, 2009-08-25 at 07:04 -0700, Bill Wesse wrote: > Good morning Andrew. Thanks for your feedback. I have interpolated available > information below. > > >> Andrew - I think I might have missed a previous email of yours. If so, I > >> offer my apologies. > >> > >> The actual Windows behavior is - as Matthias noted previously - > >> that NetrLogonGetDomainInfo bypasses the servicePrincipalName > >> constraints (which are documented in [MS-ADTS] 3.1.1.5.3.1.1.4). > > > >OK, When will this security bug be addressed? I thought I saw a difference > >in this behaviour for Windows 2008 - >honestly I was expecting 'Windows 2008 > >fixed this' as your reply. > > This is currently 'work-in-progress', and I will update you as soon as I have > information. My understanding is that this is not an issue with releases > after Windows 2003 (which matches with your comments concerning Windows 2008). Great. Can you give me the exact rules as they apply to Windows 2008 then? I can work from them to fix this up to match Windows 2008 behaviour (which was my original goal, but wasn't what Matthias wrote the code to match). > >> We are currently working on which document this should be addressed > >> in ([MS-ADTS] or [MS-NRPC]). I expect that [MS-NRPC] is not the > >> correct place, since SPN validation is carried out by Active > >> Directory, outside the scope of the NetLogon protocol. I do not yet > >> have any information concerning whether or not any product bugs > >> will be filed, but I have alerted the appropriate folks here at > >> Microsoft. That may impact any forthcoming Windows Behavior notes. > > >OK. I would appreciate an update on what the expected long-term > >behaviour of Microsoft products will be, so we >know what we must > >emulate. (Oh the joys of bug-for-bug compatibility) > > Some of this will depend on Windows 2003 and earlier bug/fix details. I will > keep you advised! > > >Thanks for the detail. I look forward to being able to use it some > >day :-) > > My pleasure! Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
