Kerberos Ticket Forwarding patch/update

Andrew Bartlett abartlet at
Fri Jul 25 02:02:23 GMT 2008

On Thu, 2008-07-24 at 23:27 +0100, Love Hörnquist Åstrand wrote:
> Hello,
> That the computer it "trusted for delegation" doesn't mean that the  
> user want to delegate.
> The reason I'm asking is that when I asked msft about this, they said  
> they only delegated if GSS_C_DELGATE_FLAG and ok-as-delegate was set.  
> ok-as-delegate alone was not a critera alone for delegation. I want to  
> know if its true.
> If its true, and the user never sets GSS_C_DELEGATE_FLAG, samba  
> shouldn't delegate.

The problem here is that if it's up to the user (ie, as a command line
option), then none of this useful delegation stuff ever happens, and we
end up giving hosts the right to make up arbitrary tickets, not just
accept forwarded ones.  I actually agree with Microsoft here, and the
delegation should be controlled by the KDC.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list