patches to make bind9 with TKEY/GSS updates easier to configure

Andrew Bartlett abartlet at samba.org
Fri Dec 3 23:28:34 UTC 2010


On Fri, 2010-12-03 at 22:59 +0000, Love Hörnquist Åstrand wrote:
> 
> 3 dec 2010 kl. 14:52 skrev Andrew Bartlett:
> 
> > On Fri, 2010-12-03 at 22:47 +0000, Love Hörnquist Åstrand wrote:
> > > Hello tridge,
> > > 
> > > > > An alternative is to use the GSS_C_DELEG_POLICY_FLAG which
> > > > > only
> > > > > delegates if the admin of the domain have said its ok to
> > > > > delegate
> > > > > to that host.
> > > > 
> > > > Would you recommend that we add it?
> > > > 
> > > > With my current patches the flags we're passing are:
> > > > 
> > > > GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG
> > > > 
> > > 
> > > 
> > > I would recommend what Microsoft sends + GSS_S_DELEG_POLICY_FLAG.
> > 
> > Thanks.  
> > 
> > Tridge,
> > 
> > I'm pretty sure we removed the ability to forward for a good reason
> > however, so re-enabling this may expose other gremlins.  I guess we
> > now
> > need to look into and understand that better.
> > 
> 
> 
> 
> Not that I didn't propose GSS_C_DELEG_FLAG, the new flag
> GSS_C_DELEG_POLICY_FLAG will only delegate if the admin for domain
> have approved delegation (ie set ok-as-delegate ticket flag).

Yes.  I wasn't quite as precise as I should have been.  I understood
your proposal and agree in principal, as long as the actual delegating
process works in all the circumstances we require.  I'm concerned that
we will need to ensure we test in situations where the target is
'ok-as-delegate', and that this may be more difficult to test without a
running KDC (currently, without this, we can test using a credential
cache that has a service ticket with a 26 year lifetime, without needing
to start a KDC). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20101204/186f597d/attachment.bin>


More information about the bind-workers mailing list