Kerberos Ticket Forwarding patch/update

Andrew Bartlett abartlet at samba.org
Fri Jul 25 07:32:57 GMT 2008 

On Fri, 2008-07-25 at 08:27 +0100, Love Hörnquist Åstrand wrote:
> 25 jul 2008 kl. 03.02 skrev Andrew Bartlett:
> 
> > On Thu, 2008-07-24 at 23:27 +0100, Love Hörnquist Åstrand wrote:
> >> Hello,
> >>
> >> That the computer it "trusted for delegation" doesn't mean that the
> >> user want to delegate.
> >>
> >> The reason I'm asking is that when I asked msft about this, they said
> >> they only delegated if GSS_C_DELGATE_FLAG and ok-as-delegate was set.
> >> ok-as-delegate alone was not a critera alone for delegation. I want  
> >> to
> >> know if its true.
> >>
> >> If its true, and the user never sets GSS_C_DELEGATE_FLAG, samba
> >> shouldn't delegate.
> >
> > The problem here is that if it's up to the user (ie, as a command line
> > option), then none of this useful delegation stuff ever happens, and  
> > we
> > end up giving hosts the right to make up arbitrary tickets, not just
> > accept forwarded ones.  I actually agree with Microsoft here, and the
> > delegation should be controlled by the KDC.
> 
> So do I
> 
> commit 9bdd4ef9a69775475fbd7468fd42edc14107ecc8
> Author: lha <lha at ec53bebd-3082-4978-b11e-865c3cabbd6b>
> Date:   Wed Nov 2 11:52:49 2005 +0000
> 
>      Change sematics of ok-as-delegate to match windows if
>      [gssapi]realm/ok-as-delegate=true is set, otherwise keep old  
> sematics.
> 
> 
>      git-svn-id: svn+ssh://svn.h5l.org/svn/heimdal/trunk/heimdal@16283  
> ec53bebd-3082-4978-b11e-865c3cabbd6b
> 
> 
> What I'm asking for is samba to honor the GSS_C_DELEGATE_FLAG.  
> Probably it should be default set to on for SMB.

Here Samba is the application, not the library (well, I suppose it is
the library for libsmbclient, but we don't give those callers this level
of control), so it is reasonable to have it on by default.  A config
option might be appropriate, but we already have config-itis...

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080725/845d321f/attachment.bin

More information about the samba-technical mailing list