Kerberos Ticket Forwarding patch/update

Scott Lovenberg scott.lovenberg at gmail.com
Fri Jul 25 14:27:01 GMT 2008 

Andrew Bartlett wrote:
> On Fri, 2008-07-25 at 08:27 +0100, Love Hörnquist Åstrand wrote:
>   
>> 25 jul 2008 kl. 03.02 skrev Andrew Bartlett:
>>
>>     
>>> On Thu, 2008-07-24 at 23:27 +0100, Love Hörnquist Åstrand wrote:
>>>       
>>>> Hello,
>>>>
>>>> That the computer it "trusted for delegation" doesn't mean that the
>>>> user want to delegate.
>>>>
>>>> The reason I'm asking is that when I asked msft about this, they said
>>>> they only delegated if GSS_C_DELGATE_FLAG and ok-as-delegate was set.
>>>> ok-as-delegate alone was not a critera alone for delegation. I want  
>>>> to
>>>> know if its true.
>>>>
>>>> If its true, and the user never sets GSS_C_DELEGATE_FLAG, samba
>>>> shouldn't delegate.
>>>>         
>>> The problem here is that if it's up to the user (ie, as a command line
>>> option), then none of this useful delegation stuff ever happens, and  
>>> we
>>> end up giving hosts the right to make up arbitrary tickets, not just
>>> accept forwarded ones.  I actually agree with Microsoft here, and the
>>> delegation should be controlled by the KDC.
>>>       
>> So do I
>>
>> commit 9bdd4ef9a69775475fbd7468fd42edc14107ecc8
>> Author: lha <lha at ec53bebd-3082-4978-b11e-865c3cabbd6b>
>> Date:   Wed Nov 2 11:52:49 2005 +0000
>>
>>      Change sematics of ok-as-delegate to match windows if
>>      [gssapi]realm/ok-as-delegate=true is set, otherwise keep old  
>> sematics.
>>
>>
>>      git-svn-id: svn+ssh://svn.h5l.org/svn/heimdal/trunk/heimdal@16283  
>> ec53bebd-3082-4978-b11e-865c3cabbd6b
>>
>>
>> What I'm asking for is samba to honor the GSS_C_DELEGATE_FLAG.  
>> Probably it should be default set to on for SMB.
>>     
>
> Here Samba is the application, not the library (well, I suppose it is
> the library for libsmbclient, but we don't give those callers this level
> of control), so it is reasonable to have it on by default.  A config
> option might be appropriate, but we already have config-itis...
>
> Andrew Bartlett
>   
FWIW, I didn't find the configure options for Samba4 to be over the top 
at all.  Considering the scope of the project, and the number of 
interfacing options, the ./configure --help=recursive was surprisingly 
short, IMHO.  Furthermore when I consider that most were cases of "we'll 
use it if we can find it". 

That's actually one of the things I was just talking to a friend about 
last night, the number of compile time options for most Linux apps.  You 
can go big and include the kitchen sink, only link the libraries needed 
to run the bare minimum or anything in between.  Then again, I don't 
maintain any binary packages and I could see where this would be a 
headache for upstream packagers.  Just my $0.02.

More information about the samba-technical mailing list