[RFC] fix bug 12007

Stefan Metzmacher metze at samba.org
Wed Jul 6 07:49:15 UTC 2016

Hi Simo,

>>> What flags are passed in ? Can you point me at the code path that
>>> generates this ?
>> It's in the default gse context flags.
>> In  gse_context_init(), we have:
>>         gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
>>                                 *GSS_C_DELEG_FLAG* |
> This *must* definitely be made conditional IMHO, it is not ok to just
> send your TGT by default to third parties, it means
> malicious/compromised 3rd parties can simply grab it and then fully
> impersonate you to other services.

It's the KDC's job to check that it trusts the service and include
the delegated creds only if that's the case.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160706/b76f9589/signature.sig>

More information about the samba-technical mailing list