RE: Kerberos Ticket Forwarding patch/update

Subject:	RE: Kerberos Ticket Forwarding patch/update
From:	"Derrick Schommer"
Date:	Thu, 24 Jul 2008 18:03:11 -0400

The OK_AS_DELEGATE is set when the ticket is granted based on a computer 
account being told, on the domain controller, "trusted for delegation"

In those cases, we want to forward on the second ticket for that system so that 
it can negotiate with the back-end storage that it's virtualizing.

Derrick 

-----Original Message-----
From: Love Hörnquist Åstrand [mailto:lha@xxxxxx] 
Sent: Thursday, July 24, 2008 17:53
To: Derrick Schommer
Cc: samba-technical@xxxxxxxxxxxxxxx
Subject: Re: Kerberos Ticket Forwarding patch/update

Hello allo,

I would really like to know the behavior of windows, is the the  
OK_AS_DELEGATE flag that really is used to determine if ticket should  
be delegated.

Or is is that application that thinks it should by setting  
GSS_C_DELEGATE and the SSPI library that strips is if the  
OK_AS_DELEGATE isn't set by the KDC on the service ticket.

If the user never meant to delegate, samba shouldn't default to.

Love




24 jul 2008 kl. 21.28 skrev Derrick Schommer:

> Hi,
>
>
>
> I'm looking to commit a patch for the 3.0 code base and the 3.2 code
> base to allow samba using Kerberos authentication to work with proxy
> devices which are set to be "trusted for delegation" in a Windows
> domain. The update, in clikrb5.c would add detection for tickets with
> OK_AS_DELEGATE and would then request a forwardable ticket from the  
> KDC
> and send it along with the krb5_mk_req_extended() function call.
>
>
>
> This would allow operating systems with Samba 3.x to interoperate with
> the F5 Acopia ARX product line for storage virtualization along with  
> any
> other future virtualization vendors. I'm not sure if I send patches to
> this mailer or not (as this patch is 260 lines long and I have one for
> 3.0.x and 3.2.x). I'd love for the team to review it and do what would
> be needed to commit it into the projects.
>
>
>
> Thanks in advance.
>
>
>
>
>
> Derrick Schommer |  Corporate Systems Engineer
>
> F5 Networks
>
>  P 978.513.2900
>
> F 978.513.2990
>
> www.f5.com <http://www.f5.com>
>
>  D 978.513.2960
>
> M 603.765.0012
>
>
>
>
>
> <image001.gif>

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Kerberos Ticket Forwarding patch/update, Jeremy Allison Kerberos Ticket Forwarding Patch/Update, Derrick Schommer Re: Kerberos Ticket Forwarding Patch/Update, Jeremy Allison Kerberos Ticket Forwarding Patch/Update, Derrick Schommer Re: Kerberos Ticket Forwarding Patch/Update, Andrew Bartlett RE: Kerberos Ticket Forwarding Patch/Update, Derrick Schommer Re: Kerberos Ticket Forwarding Patch/Update, Love Hörnquist Åstrand Re: Kerberos Ticket Forwarding patch/update, Love Hörnquist Åstrand RE: Kerberos Ticket Forwarding patch/update, Derrick Schommer <= Re: Kerberos Ticket Forwarding patch/update, Love Hörnquist Åstrand Re: Kerberos Ticket Forwarding patch/update, Andrew Bartlett Re: Kerberos Ticket Forwarding patch/update, Derrick Schommer Re: Kerberos Ticket Forwarding patch/update, Love Hörnquist Åstrand Re: Kerberos Ticket Forwarding patch/update, Andrew Bartlett Re: Kerberos Ticket Forwarding patch/update, Scott Lovenberg RE: Kerberos Ticket Forwarding patch/update, Derrick Schommer Re: Kerberos Ticket Forwarding patch/update, Jeremy Allison RE: Kerberos Ticket Forwarding patch/update, Derrick Schommer Re: Kerberos Ticket Forwarding patch/update, Douglas E. Engert

Previous by Date:	Reserved krb5 error (29), Herb Lewis
Next by Date:	Re: Reserved krb5 error (29), Love Hörnquist Åstrand
Previous by Thread:	Re: Kerberos Ticket Forwarding patch/update, Love Hörnquist Åstrand
Next by Thread:	Re: Kerberos Ticket Forwarding patch/update, Love Hörnquist Åstrand
Indexes:	[Date] [Thread] [Top] [All Lists]