Kerberos Ticket Forwarding patch/update
Derrick Schommer
dschommer at F5.com
Fri Jul 25 17:13:25 GMT 2008
> So I would read this is the client will only delegate if the client want's > to and the KDC says it is OK.
So, Windows must, as default behavior, set GSS_C_DELEGATE_FLAG (at least in CIFS) as it always received the second ticket when talking to a system that's setup as "Trusted for Delegation."
Samba can do the same, if needed. However, windows does indeed send a second ticket to the smbclient regardless to the GSS_C_DELEGATE_FLAG as it is today (unless that's implemented somewhere outside of the smb libraries). As the patch I've submitted works against the virtualized storage device (ARX) without a problem.
Probably because krb5.conf has forwardable = true;
"forward should in most cases be set to true, in order to forward tickets obtained as "forwardable" to remote hosts by default." via http://www.fnal.gov/docs/strongauth/krb5conf.html
Derrick
More information about the samba-technical
mailing list