[RFC] fix bug 12007
metze at samba.org
Wed Jul 6 07:49:15 UTC 2016
>>> What flags are passed in ? Can you point me at the code path that
>>> generates this ?
>> It's in the default gse context flags.
>> In gse_context_init(), we have:
>> gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
>> *GSS_C_DELEG_FLAG* |
> This *must* definitely be made conditional IMHO, it is not ok to just
> send your TGT by default to third parties, it means
> malicious/compromised 3rd parties can simply grab it and then fully
> impersonate you to other services.
It's the KDC's job to check that it trusts the service and include
the delegated creds only if that's the case.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical