Kerberos Ticket Forwarding patch/update
abartlet at samba.org
Fri Jul 25 07:32:57 GMT 2008
On Fri, 2008-07-25 at 08:27 +0100, Love Hörnquist Åstrand wrote:
> 25 jul 2008 kl. 03.02 skrev Andrew Bartlett:
> > On Thu, 2008-07-24 at 23:27 +0100, Love Hörnquist Åstrand wrote:
> >> Hello,
> >> That the computer it "trusted for delegation" doesn't mean that the
> >> user want to delegate.
> >> The reason I'm asking is that when I asked msft about this, they said
> >> they only delegated if GSS_C_DELGATE_FLAG and ok-as-delegate was set.
> >> ok-as-delegate alone was not a critera alone for delegation. I want
> >> to
> >> know if its true.
> >> If its true, and the user never sets GSS_C_DELEGATE_FLAG, samba
> >> shouldn't delegate.
> > The problem here is that if it's up to the user (ie, as a command line
> > option), then none of this useful delegation stuff ever happens, and
> > we
> > end up giving hosts the right to make up arbitrary tickets, not just
> > accept forwarded ones. I actually agree with Microsoft here, and the
> > delegation should be controlled by the KDC.
> So do I
> commit 9bdd4ef9a69775475fbd7468fd42edc14107ecc8
> Author: lha <lha at ec53bebd-3082-4978-b11e-865c3cabbd6b>
> Date: Wed Nov 2 11:52:49 2005 +0000
> Change sematics of ok-as-delegate to match windows if
> [gssapi]realm/ok-as-delegate=true is set, otherwise keep old
> git-svn-id: svn+ssh://svn.h5l.org/svn/heimdal/trunk/heimdal@16283
> What I'm asking for is samba to honor the GSS_C_DELEGATE_FLAG.
> Probably it should be default set to on for SMB.
Here Samba is the application, not the library (well, I suppose it is
the library for libsmbclient, but we don't give those callers this level
of control), so it is reasonable to have it on by default. A config
option might be appropriate, but we already have config-itis...
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080725/845d321f/attachment.bin
More information about the samba-technical