Kerberos Ticket Forwarding patch/update
Derrick Schommer
d.schommer at f5.com
Fri Jul 25 02:07:44 GMT 2008
Yes, from my experience with everything from XP to Vista Business, we've
never found a client who's had any ability to control how the flow of
kerberos authentication works while running through virtualized storage,
because this would be a nightmare for helpdesks.
If a client could disable the ability to use delegated proxy authentication
user error would result from the authentication error and helpdesk calls
would be the next step :)
Derrick
On 7/24/08 10:02 PM, "Andrew Bartlett" <abartlet at samba.org> wrote:
> On Thu, 2008-07-24 at 23:27 +0100, Love Hörnquist Åstrand wrote:
>> Hello,
>>
>> That the computer it "trusted for delegation" doesn't mean that the
>> user want to delegate.
>>
>> The reason I'm asking is that when I asked msft about this, they said
>> they only delegated if GSS_C_DELGATE_FLAG and ok-as-delegate was set.
>> ok-as-delegate alone was not a critera alone for delegation. I want to
>> know if its true.
>>
>> If its true, and the user never sets GSS_C_DELEGATE_FLAG, samba
>> shouldn't delegate.
>
> The problem here is that if it's up to the user (ie, as a command line
> option), then none of this useful delegation stuff ever happens, and we
> end up giving hosts the right to make up arbitrary tickets, not just
> accept forwarded ones. I actually agree with Microsoft here, and the
> delegation should be controlled by the KDC.
>
> Andrew Bartlett
More information about the samba-technical
mailing list