Kerberos Ticket Forwarding patch/update

Derrick Schommer d.schommer at
Fri Jul 25 02:07:44 GMT 2008

Yes, from my experience with everything from XP to Vista Business, we've
never found a client who's had any ability to control how the flow of
kerberos authentication works while running through virtualized storage,
because this would be a nightmare for helpdesks.

If a client could disable the ability to use delegated proxy authentication
user error would result from the authentication error and helpdesk calls
would be the next step :)


On 7/24/08 10:02 PM, "Andrew Bartlett" <abartlet at> wrote:

> On Thu, 2008-07-24 at 23:27 +0100, Love Hörnquist Åstrand wrote:
>> Hello,
>> That the computer it "trusted for delegation" doesn't mean that the
>> user want to delegate.
>> The reason I'm asking is that when I asked msft about this, they said
>> they only delegated if GSS_C_DELGATE_FLAG and ok-as-delegate was set.
>> ok-as-delegate alone was not a critera alone for delegation. I want to
>> know if its true.
>> If its true, and the user never sets GSS_C_DELEGATE_FLAG, samba
>> shouldn't delegate.
> The problem here is that if it's up to the user (ie, as a command line
> option), then none of this useful delegation stuff ever happens, and we
> end up giving hosts the right to make up arbitrary tickets, not just
> accept forwarded ones.  I actually agree with Microsoft here, and the
> delegation should be controlled by the KDC.
> Andrew Bartlett

More information about the samba-technical mailing list