Bug 10707 - ntlm_auth --helper-protocol=gss-spnego does not honour --target-service and --target-hostname
Summary: ntlm_auth --helper-protocol=gss-spnego does not honour --target-service and -...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.1.9
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2014-07-11 12:19 UTC by David Woodhouse
Modified: 2017-01-03 03:04 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description David Woodhouse 2014-07-11 12:19:28 UTC
I'm using squid configured thus:

auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --target-service=rcmd --target-hostname=dwodhou-linux.ger.corp.intel.com

I deliberately put errors in the --target-service and --target-hostname arguments. Surely it should have stopped working? But it seems to accept Kerberos tickets for *any* service that's in the keytab.
Comment 1 Andrew Bartlett 2017-01-03 03:04:27 UTC
Correct, those options are for the client mode.  We accept any service in the keytab, as in the AD model, we may have multiple names, and an administrator may add any to our KDC without notifying Samba.

I get that we could use those options to implement match-by-name rather than match-by-key, and arguably that much is a bug, but absent a tested patch (which would be most welcome) I don't think we are likely to extend it in that way.