patches to make bind9 with TKEY/GSS updates easier to configure

Andrew Bartlett abartlet at samba.org
Fri Dec 3 22:52:50 UTC 2010


On Fri, 2010-12-03 at 22:47 +0000, Love Hörnquist Åstrand wrote:
> Hello tridge,
> 
> > > An alternative is to use the GSS_C_DELEG_POLICY_FLAG which only
> > > delegates if the admin of the domain have said its ok to delegate
> > > to that host.
> > 
> > Would you recommend that we add it?
> > 
> > With my current patches the flags we're passing are:
> > 
> > GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG
> > 
> 
> 
> I would recommend what Microsoft sends + GSS_S_DELEG_POLICY_FLAG.

Thanks.  

Tridge,

I'm pretty sure we removed the ability to forward for a good reason
however, so re-enabling this may expose other gremlins.  I guess we now
need to look into and understand that better.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20101204/8e82d57b/attachment.bin>


More information about the bind-workers mailing list