Kerberos Ticket Forwarding patch/update

Derrick Schommer dschommer at
Fri Jul 25 17:13:25 GMT 2008

> So I would read this is the client will only delegate if the client want's > to and the KDC says it is OK.

So, Windows must, as default behavior, set GSS_C_DELEGATE_FLAG (at least in CIFS) as it always received the second ticket when talking to a system that's setup as "Trusted for Delegation."

Samba can do the same, if needed. However, windows does indeed send a second ticket to the smbclient regardless to the GSS_C_DELEGATE_FLAG as it is today (unless that's implemented somewhere outside of the smb libraries). As the patch I've submitted works against the virtualized storage device (ARX) without a problem.

Probably because krb5.conf has forwardable = true;

"forward should in most cases be set to true, in order to forward tickets obtained as "forwardable" to remote hosts by default." via


More information about the samba-technical mailing list