On Tue, 2005-04-12 at 12:56 -0400, David Girard wrote: > OK, I have applied the "use spnego=no" and it seems to have resolved the > problem... > > Could you describe what this setting is doing?...I haven't been able > to find any reference to this setting other than your previous posts > telling people to use it...
Samba 3.0 introduced the ability to support 'extended security', where instead of the traditional NTLM challenge/response system being based on a challenge in the NegProt packet, we would install break out to a generalised authentications system, based on multiple round trips. Session setup and authentication are fairly well described in CRH's book: http://www.ubiqx.org/cifs/SMB.html#SMB.8 When we are using extended security, there are multiple legs to the session setup part of this problem. As the client sends the first of the 4 packets in this system ('negotiate'), we should enclose a vuid 'cookie' with the 'challenge'. When the client returns with the 'auth' packet, we can line up the challenge we sent, and correctly finish the state machine. If as in Samba3, we do not include a vuid (we send 0) to connect to the correct state machine, we would logically link a 'challenge' with an 'auth' to which there is no relation. This then results in WRONG_PASSWORD, as the cryptography is wrong. The RAW-CONTEXT test from Samba4 should demonstrate this nicely. > I need to understand if there are security or performance implications > to this setting. In particular, it will not be possible to use kerberos in any form to this server and NTLM2 will not be negotiated so clients will send the LM password on the wire.. Performance and reliability with the not- recommended security=server will also suffer. The reason we have not fixed this in the past is that session setups are usually a 'rare' event (compared with others), and we just have not seen (or considered) this race in the past. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
