[PATCH] Bug#1780 smbspool can't use kerberos authentication
Gerald (Jerry) Carter
jerry at samba.org
Mon May 9 15:27:06 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rodrigo Fernandez-Vizarra wrote:
| There is not really a drawback (as far as I can tell)
| with that second patch other that sometimes (if kerberos
| is used) the smbspool will switch the users at some
| time during the execution. Given that smspool
| is not a daemon I don't see any problem with this,
| but of course I could be wrong :-)
|
| Switching users is a workaround for the following
| problem that I found with SuSE and Heimdal: You can get
| a kerberos ticket for a given user, let say User1.
| Then as root you can define KRB5CCNAME to point
| to the User1 ticket cache and then use that ticket, in
| that way root can impersonate user1.
|
| This last step (defining KRB5CCNAME as root and then
| using User1 tickets) is not working in SuSE. That I don't
| know if it's a bug or a SuSE feature. It does work in
| Debian an Solaris. I would say it's a bug but I'm not a
| security expert to say that. With the setuid this always
| works as the process is owned by the user who issued
| the print job and so it's able to read his own ticket cache.
ok. That's pretty much how I remembered our discussion
as well. I'm working on a few small cleanups and to ensure
that smbspool still builds without kerberos libs before I
check it in. Should be done later today.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCf4FKIR7qMdg1EfYRApsrAKDoIjCNTTnC2tNj6yFqaNMvIbiVmQCeMxsb
fFt6dg43AFp6vrkZ6X0PXIc=
=TMKj
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list