[PATCH] Add support for using server supplied principal (mic
idra at samba.org
Mon Sep 8 02:05:33 GMT 2008
On Mon, 2008-09-08 at 10:58 +1000, Andrew Bartlett wrote:
> On Mon, 2008-08-25 at 00:10 -0400, simo wrote:
> > On Mon, 2008-08-25 at 14:05 +1000, Andrew Bartlett wrote:
> > > On Sun, 2008-08-24 at 23:58 -0400, simo wrote:
> > > > Given this reasoning, I agree this is indeed a security issue. If we
> > > > want to enable this behavior it must be optional and the users must be
> > > > warned in the documentation of the risks that activating such behavior
> > > > would imply.
> > >
> > > Indeed, and we should also remove this behaviour from the current Samba3
> > > smb client and winbindd. I've not dared to suggest this in the past,
> > > because changing this *will* break some existing sites, but I am very
> > > worried to see this added to a new tool.
> > >
> > > That sai, Samba4 has never used the supplied principal name, except by
> > > the administrator (or test script) specifying an option.
> > We should add an option to turn this behavior off, and make it default
> > to off for 3.3, can you add it ?
> As this will require some testing, can I work with you to make this
> change at the Plugfest, or is that too late?
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <simo at redhat.com>
More information about the samba-technical