s3-libads Default to NOT using the server-supplied principal from SPNEGO

This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks.  (Becuase
it isn't the name being contacted that is verified with the KDC).

This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour.  As in Samba4, this
defaults to false.

Against 2008 servers, this will not change behaviour.  Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.

Andrew Bartlett

1 files changed, 5 insertions, 3 deletions

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 653d546ccdf..2ba347486a6 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -664,10 +664,12 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
 	   the principal name back in the first round of
 	   the SASL bind reply.  So we guess based on server
 	   name and realm.  --jerry  */
-	/* Also try best guess when we get the w2k8 ignore
-	   principal back - gd */
+	/* Also try best guess when we get the w2k8 ignore principal
+	   back, or when we are configured to ignore it - gd,
+	   abartlet */
 
-	if (!given_principal ||
+	if (!lp_client_use_spnego_principal() ||
+	    !given_principal ||
 	    strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
 
 		status = ads_guess_service_principal(ads, &p->string);