Bug 10707 - ntlm_auth --helper-protocol=gss-spnego does not honour --target-service and --target-hostname
ntlm_auth --helper-protocol=gss-spnego does not honour --target-service and -...
Status: RESOLVED LATER
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.1.9
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-11 12:19 UTC by David Woodhouse
Modified: 2017-01-03 03:04 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Woodhouse 2014-07-11 12:19:28 UTC
I'm using squid configured thus:

auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --target-service=rcmd --target-hostname=dwodhou-linux.ger.corp.intel.com

I deliberately put errors in the --target-service and --target-hostname arguments. Surely it should have stopped working? But it seems to accept Kerberos tickets for *any* service that's in the keytab.
Comment 1 Andrew Bartlett 2017-01-03 03:04:27 UTC
Correct, those options are for the client mode.  We accept any service in the keytab, as in the AD model, we may have multiple names, and an administrator may add any to our KDC without notifying Samba.

I get that we could use those options to implement match-by-name rather than match-by-key, and arguably that much is a bug, but absent a tested patch (which would be most welcome) I don't think we are likely to extend it in that way.