[PATCH] Bug#1780 smbspool can't use kerberos authentication

Gerald (Jerry) Carter jerry at samba.org
Mon May 9 15:27:06 GMT 2005

Hash: SHA1

Rodrigo Fernandez-Vizarra wrote:

| There is not really a drawback (as far as I can tell)
| with that second  patch other that sometimes (if kerberos
| is used) the smbspool will  switch the users at some
| time during the execution. Given that smspool
| is not a daemon I don't see any problem with this,
| but of course I could  be wrong :-)
| Switching users is a workaround for the following
| problem that I found  with SuSE and Heimdal: You can get
| a kerberos ticket for a given user, let say User1.
| Then as root you can define KRB5CCNAME to point
| to the User1 ticket cache and then use that ticket, in
| that way root can  impersonate user1.
| This last step (defining KRB5CCNAME as root and then
| using User1  tickets) is not working in SuSE. That I don't
| know if it's a bug or a  SuSE feature. It does work in
| Debian an Solaris. I would say it's a bug  but I'm not a
| security expert to say that. With the setuid this always
| works as the process is owned by the user who issued
| the print job and so it's able to read his own ticket cache.

ok.  That's pretty much how I remembered our discussion
as well.  I'm working on a few small cleanups and to ensure
that smbspool still builds without kerberos libs before I
check it in.  Should be done later today.

cheers, jerry

Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the samba-technical mailing list