Kerberos Ticket Forwarding patch/update

Love Hörnquist Åstrand lha at kth.se
Thu Jul 24 22:27:19 GMT 2008


Hello,

That the computer it "trusted for delegation" doesn't mean that the  
user want to delegate.

The reason I'm asking is that when I asked msft about this, they said  
they only delegated if GSS_C_DELGATE_FLAG and ok-as-delegate was set.  
ok-as-delegate alone was not a critera alone for delegation. I want to  
know if its true.

If its true, and the user never sets GSS_C_DELEGATE_FLAG, samba  
shouldn't delegate.

Love



24 jul 2008 kl. 23.03 skrev Derrick Schommer:

> The OK_AS_DELEGATE is set when the ticket is granted based on a  
> computer account being told, on the domain controller, "trusted for  
> delegation"
>
> In those cases, we want to forward on the second ticket for that  
> system so that it can negotiate with the back-end storage that it's  
> virtualizing.
>
> Derrick
>
> -----Original Message-----
> From: Love Hörnquist Åstrand [mailto:lha at kth.se]
> Sent: Thursday, July 24, 2008 17:53
> To: Derrick Schommer
> Cc: samba-technical at lists.samba.org
> Subject: Re: Kerberos Ticket Forwarding patch/update
>
> Hello allo,
>
> I would really like to know the behavior of windows, is the the
> OK_AS_DELEGATE flag that really is used to determine if ticket should
> be delegated.
>
> Or is is that application that thinks it should by setting
> GSS_C_DELEGATE and the SSPI library that strips is if the
> OK_AS_DELEGATE isn't set by the KDC on the service ticket.
>
> If the user never meant to delegate, samba shouldn't default to.
>
> Love
>
>
>
>
> 24 jul 2008 kl. 21.28 skrev Derrick Schommer:
>
>> Hi,
>>
>>
>>
>> I'm looking to commit a patch for the 3.0 code base and the 3.2 code
>> base to allow samba using Kerberos authentication to work with proxy
>> devices which are set to be "trusted for delegation" in a Windows
>> domain. The update, in clikrb5.c would add detection for tickets with
>> OK_AS_DELEGATE and would then request a forwardable ticket from the
>> KDC
>> and send it along with the krb5_mk_req_extended() function call.
>>
>>
>>
>> This would allow operating systems with Samba 3.x to interoperate  
>> with
>> the F5 Acopia ARX product line for storage virtualization along with
>> any
>> other future virtualization vendors. I'm not sure if I send patches  
>> to
>> this mailer or not (as this patch is 260 lines long and I have one  
>> for
>> 3.0.x and 3.2.x). I'd love for the team to review it and do what  
>> would
>> be needed to commit it into the projects.
>>
>>
>>
>> Thanks in advance.
>>
>>
>>
>>
>>
>> Derrick Schommer |  Corporate Systems Engineer
>>
>> F5 Networks
>>
>> P 978.513.2900
>>
>> F 978.513.2990
>>
>> www.f5.com <http://www.f5.com>
>>
>> D 978.513.2960
>>
>> M 603.765.0012
>>
>>
>>
>>
>>
>> <image001.gif>
>



More information about the samba-technical mailing list