10707 – ntlm_auth --helper-protocol=gss-spnego does not honour --target-service and --target-hostname

Bug 10707 - ntlm_auth --helper-protocol=gss-spnego does not honour --target-service and --target-hostname

Summary: ntlm_auth --helper-protocol=gss-spnego does not honour --target-service and -...

Status:	RESOLVED LATER

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.1.9
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-07-11 12:19 UTC by David Woodhouse
Modified:	2017-01-03 03:04 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Woodhouse 2014-07-11 12:19:28 UTC

I'm using squid configured thus:

auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --target-service=rcmd --target-hostname=dwodhou-linux.ger.corp.intel.com

I deliberately put errors in the --target-service and --target-hostname arguments. Surely it should have stopped working? But it seems to accept Kerberos tickets for *any* service that's in the keytab.

Comment 1 Andrew Bartlett 2017-01-03 03:04:27 UTC

Correct, those options are for the client mode.  We accept any service in the keytab, as in the AD model, we may have multiple names, and an administrator may add any to our KDC without notifying Samba.

I get that we could use those options to implement match-by-name rather than match-by-key, and arguably that much is a bug, but absent a tested patch (which would be most welcome) I don't think we are likely to extend it in that way.