Kerberos Ticket Forwarding patch/update

Derrick Schommer dschommer at F5.com
Thu Jul 24 22:03:11 GMT 2008 

The OK_AS_DELEGATE is set when the ticket is granted based on a computer account being told, on the domain controller, "trusted for delegation"

In those cases, we want to forward on the second ticket for that system so that it can negotiate with the back-end storage that it's virtualizing.

Derrick 

-----Original Message-----
From: Love Hörnquist Åstrand [mailto:lha at kth.se] 
Sent: Thursday, July 24, 2008 17:53
To: Derrick Schommer
Cc: samba-technical at lists.samba.org
Subject: Re: Kerberos Ticket Forwarding patch/update

Hello allo,

I would really like to know the behavior of windows, is the the  
OK_AS_DELEGATE flag that really is used to determine if ticket should  
be delegated.

Or is is that application that thinks it should by setting  
GSS_C_DELEGATE and the SSPI library that strips is if the  
OK_AS_DELEGATE isn't set by the KDC on the service ticket.

If the user never meant to delegate, samba shouldn't default to.

Love




24 jul 2008 kl. 21.28 skrev Derrick Schommer:

> Hi,
>
>
>
> I'm looking to commit a patch for the 3.0 code base and the 3.2 code
> base to allow samba using Kerberos authentication to work with proxy
> devices which are set to be "trusted for delegation" in a Windows
> domain. The update, in clikrb5.c would add detection for tickets with
> OK_AS_DELEGATE and would then request a forwardable ticket from the  
> KDC
> and send it along with the krb5_mk_req_extended() function call.
>
>
>
> This would allow operating systems with Samba 3.x to interoperate with
> the F5 Acopia ARX product line for storage virtualization along with  
> any
> other future virtualization vendors. I'm not sure if I send patches to
> this mailer or not (as this patch is 260 lines long and I have one for
> 3.0.x and 3.2.x). I'd love for the team to review it and do what would
> be needed to commit it into the projects.
>
>
>
> Thanks in advance.
>
>
>
>
>
> Derrick Schommer |  Corporate Systems Engineer
>
> F5 Networks
>
>  P 978.513.2900
>
> F 978.513.2990
>
> www.f5.com <http://www.f5.com>
>
>  D 978.513.2960
>
> M 603.765.0012
>
>
>
>
>
> <image001.gif>

More information about the samba-technical mailing list