Kerberos Ticket Forwarding patch/update
Andrew Bartlett
abartlet at samba.org
Fri Jul 25 02:02:23 GMT 2008
On Thu, 2008-07-24 at 23:27 +0100, Love Hörnquist Åstrand wrote:
> Hello,
>
> That the computer it "trusted for delegation" doesn't mean that the
> user want to delegate.
>
> The reason I'm asking is that when I asked msft about this, they said
> they only delegated if GSS_C_DELGATE_FLAG and ok-as-delegate was set.
> ok-as-delegate alone was not a critera alone for delegation. I want to
> know if its true.
>
> If its true, and the user never sets GSS_C_DELEGATE_FLAG, samba
> shouldn't delegate.
The problem here is that if it's up to the user (ie, as a command line
option), then none of this useful delegation stuff ever happens, and we
end up giving hosts the right to make up arbitrary tickets, not just
accept forwarded ones. I actually agree with Microsoft here, and the
delegation should be controlled by the KDC.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080725/d6addf4d/attachment.bin
More information about the samba-technical
mailing list