[Samba] RE: Delegation of authentication (S4U) and SAMBA

Andrew Bartlett abartlet at samba.org
Wed Feb 20 22:05:39 GMT 2008

On Wed, 2008-02-20 at 13:58 -0800, Todd Stecher wrote:
> From my readings, only the Heimdahl Kerberos distribution has S4USelf
> support, at least in the Samba 4 code base.  MIT tries to stay away
> from being PAC-cognizent.

In terms of Samba4's KDE, S4USelf is something that I need to finish
understanding, particularly in terms of interoperable behaviours etc.

> It sounds like you're trying to do something slightly different - e.g.
> Constrained Delegation, where the identity lives in the PAC, and not
> in the ticket.  There are additional security considerations which
> come into play when relying simply on the PAC, since anyone can put a
> PAC into a service ticket with a custom codebase - you can easily get
> into cases of identity theft if you also don't verify the second
> (KRBTGT HMAC of the server signature) signature in the PAC.

Why do we need to check that, expect if we think that unprivileged
processes on our box have access to the keytab?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080221/a97ae189/attachment.bin

More information about the samba mailing list