samba - Nov 2022 - How does AD/SMB clients authenticate servers?

On Mon, 2022-11-28 at 12:01 -0800, Kris Lou via samba
wrote:
> > (and it seems my setup with the same name to mean different
> > thingsdepending on the location based on overriding CNAMEs does not
> > workfor this reason: validity of such server can't be verified,
and
> > theclients can - in theory - be tricked to access wrong, malicious
> > serverinstead of the right one, unless I'll do it some other way).
> 
> My (very incomplete) understanding is CNAMES work, as they then
> usereferred SPN instead of the CNAME.So, your problem might be that 
> FS/CIFS at DOMAIN.tld is already an existingprincipal in AD, instead of
> global CNAME that only exists in DNS?
> -Kris
I wanted to write more (and may get a chance to later) but this is it. 

Just like certificates in a browser, the name in the URL bar, must
match the certificate exactly, and one certificate can have many names.

So no matter what (untrusted) DNS does under the hood, the name in the
UNC path is the name that the SPN must be for.

That it works without a SPN-registered name is down to NTLM fallback,
which has much weaker protection, and all servers can impersonate each
other (to an extent).

Andrew,


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member
(since 2001) https://samba.orgSamba Team Lead, Catalyst IT  
https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions

29.11.2022 02:12, Andrew Bartlett via samba wrote:
..
> I wanted to write more (and may get a chance to later) but this is it.
> 
> Just like certificates in a browser, the name in the URL bar, must
> match the certificate exactly, and one certificate can have many names.
> 
> So no matter what (untrusted) DNS does under the hood, the name in the
> UNC path is the name that the SPN must be for.
> 
> That it works without a SPN-registered name is down to NTLM fallback,
> which has much weaker protection, and all servers can impersonate each
> other (to an extent).
Yes, this is exactly what I was asking.  In the lack of EXPLICIT SPN (which
is created by samba-tool domain join if smb.conf has netbios aliases set -
a proper SPN is created for each name listed in there), there will be no
protection against impersonation and hijacking.

It is not "my problem" really.  It just appears to be a little-known
fact,
many people out there on this list who suggest using CNAMES missed this
very point, that besides a CNAME, a corresponding SPN needs to be created
*too*, - this is not done automatically.

Some people don't even understand that a *server* needs to be authenticated
by a client too.

Thank you for the answer, Andrew - as always very useful and exactly
to the point.

/mjt