[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-2797-g5f41913

Jeremy Allison jra at samba.org
Tue Sep 9 22:14:35 GMT 2008

On Tue, Sep 09, 2008 at 11:50:19AM +0100, Love Hörnquist Åstrand wrote:
> 9 sep 2008 kl. 11.09 skrev Andreas Schneider:
>> On Friday 08 August 2008 23:33:36 Jeremy Allison wrote:
>>> commit 5f419135ba1acae6bc37692fa77ae1162b62e0e3
>>> Author: Jeremy Allison <jra at samba.org>
>>> Date:   Fri Aug 8 14:33:00 2008 -0700
>>>    Add Derrick Schommer's <dschommer at F5.com> kerberos delegation  
>>> patch.
>>> Some work by me and advice by Love.
>>>    Jeremy.
>> I'm sorry to say that this code breaks kerberos support of smbclient  
>> and
>> libsmbclient.
> Try to get forwardable tickets and see if that fixes the problem.
> kinit -f
> Jeremy, krb5_fwd_tgt_creds() failure should not be fatal, just strip of 

Sorry, need a *lot* more clarification before writing that patch.

Are you saying that I should remove the GSS_C_DELEG_FLAG from the
gss_init_sec_context() call in make_cli_gss_blob() (which is the
only place I use it in a gss call) ? I thought that was just requesting
a delegatable ticket, but would not then fail the gss_init_sec_context()
call, just return with a non-delegatable ticket and without

Or are you saying that I should ignore failures in the
krb5_fwd_tgt_creds() call in the ads_krb5_get_fwd_ticket()
function and keep on to the krb5_mk_req_extended() call
within ads_krb5_mk_req() instead ?

Note that I only call into ads_krb5_get_fwd_ticket() if
the krb5_creds struct pointer in ads_krb5_mk_req()
has credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE set.

More info needed than a quick "just strip of GSS_C_DELEG_FLAG"
in order to write a working patch :-) :-).



More information about the samba-technical mailing list