[PATCH] Add support for using server supplied principal (mic option)

Andrew Bartlett abartlet at samba.org
Mon Sep 8 00:58:17 GMT 2008

On Mon, 2008-08-25 at 00:10 -0400, simo wrote:
> On Mon, 2008-08-25 at 14:05 +1000, Andrew Bartlett wrote:
> > On Sun, 2008-08-24 at 23:58 -0400, simo wrote:

> > > Given this reasoning, I agree this is indeed a security issue. If we
> > > want to enable this behavior it must be optional and the users must be
> > > warned in the documentation of the risks that activating such behavior
> > > would imply.
> > 
> > Indeed, and we should also remove this behaviour from the current Samba3
> > smb client and winbindd.  I've not dared to suggest this in the past,
> > because changing this *will* break some existing sites, but I am very
> > worried to see this added to a new tool. 
> > 
> > That sai, Samba4 has never used the supplied principal name, except by
> > the administrator (or test script) specifying an option.
> We should add an option to turn this behavior off, and make it default
> to off for 3.3, can you add it ?

As this will require some testing, can I work with you to make this
change at the Plugfest, or is that too late?


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080908/a096951c/attachment.bin

More information about the samba-technical mailing list