[SCM] Samba Shared Repository - branch v3-2-test updated -
release-3-2-0pre2-2797-g5f41913
Jeremy Allison
jra at samba.org
Tue Sep 9 22:14:35 GMT 2008
On Tue, Sep 09, 2008 at 11:50:19AM +0100, Love Hörnquist Åstrand wrote:
>
> 9 sep 2008 kl. 11.09 skrev Andreas Schneider:
>
>> On Friday 08 August 2008 23:33:36 Jeremy Allison wrote:
>>> commit 5f419135ba1acae6bc37692fa77ae1162b62e0e3
>>> Author: Jeremy Allison <jra at samba.org>
>>> Date: Fri Aug 8 14:33:00 2008 -0700
>>>
>>> Add Derrick Schommer's <dschommer at F5.com> kerberos delegation
>>> patch.
>>> Some work by me and advice by Love.
>>> Jeremy.
>>>
>>
>> I'm sorry to say that this code breaks kerberos support of smbclient
>> and
>> libsmbclient.
>
> Try to get forwardable tickets and see if that fixes the problem.
>
> kinit -f
>
> Jeremy, krb5_fwd_tgt_creds() failure should not be fatal, just strip of
> GSS_C_DELEG_FLAG
Sorry, need a *lot* more clarification before writing that patch.
Are you saying that I should remove the GSS_C_DELEG_FLAG from the
gss_init_sec_context() call in make_cli_gss_blob() (which is the
only place I use it in a gss call) ? I thought that was just requesting
a delegatable ticket, but would not then fail the gss_init_sec_context()
call, just return with a non-delegatable ticket and without
GSS_C_DELEG_FLAG set ?
Or are you saying that I should ignore failures in the
krb5_fwd_tgt_creds() call in the ads_krb5_get_fwd_ticket()
function and keep on to the krb5_mk_req_extended() call
within ads_krb5_mk_req() instead ?
Note that I only call into ads_krb5_get_fwd_ticket() if
the krb5_creds struct pointer in ads_krb5_mk_req()
has credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE set.
More info needed than a quick "just strip of GSS_C_DELEG_FLAG"
in order to write a working patch :-) :-).
Thanks,
Jeremy.
More information about the samba-technical
mailing list