Kerberos Ticket Forwarding patch/update

[Derrick Schommer]

So, should I submit the diffs with GSS_C_DELEGATE_FLAG?

If so, where is this in the 3.0 tree? I'm seeing a gss_init_sec_context() in libsmb/clifsinfo.c in the 3.2 tree but in the 3.0 tree I only can find this call in sasl.c

Any ideas?

Derrick

-----Original Message-----
From: Love Hörnquist Åstrand [mailto:lha at kth.se] 
Sent: Friday, July 25, 2008 03:27
To: Andrew Bartlett
Cc: Derrick Schommer; samba-technical at lists.samba.org
Subject: Re: Kerberos Ticket Forwarding patch/update


25 jul 2008 kl. 03.02 skrev Andrew Bartlett:

> On Thu, 2008-07-24 at 23:27 +0100, Love Hörnquist Åstrand wrote:
>> Hello,
>>
>> That the computer it "trusted for delegation" doesn't mean that the
>> user want to delegate.
>>
>> The reason I'm asking is that when I asked msft about this, they said
>> they only delegated if GSS_C_DELGATE_FLAG and ok-as-delegate was set.
>> ok-as-delegate alone was not a critera alone for delegation. I want  
>> to
>> know if its true.
>>
>> If its true, and the user never sets GSS_C_DELEGATE_FLAG, samba
>> shouldn't delegate.
>
> The problem here is that if it's up to the user (ie, as a command line
> option), then none of this useful delegation stuff ever happens, and  
> we
> end up giving hosts the right to make up arbitrary tickets, not just
> accept forwarded ones.  I actually agree with Microsoft here, and the
> delegation should be controlled by the KDC.

So do I

commit 9bdd4ef9a69775475fbd7468fd42edc14107ecc8
Author: lha <lha at ec53bebd-3082-4978-b11e-865c3cabbd6b>
Date:   Wed Nov 2 11:52:49 2005 +0000

     Change sematics of ok-as-delegate to match windows if
     [gssapi]realm/ok-as-delegate=true is set, otherwise keep old  
sematics.


     git-svn-id: svn+ssh://svn.h5l.org/svn/heimdal/trunk/heimdal@16283  
ec53bebd-3082-4978-b11e-865c3cabbd6b


What I'm asking for is samba to honor the GSS_C_DELEGATE_FLAG.  
Probably it should be default set to on for SMB.


Love