Simo Sorce ssorce at redhat.com
Thu May 8 18:40:13 EDT 2008

On Thu, 2008-05-08 at 15:15 -0700, Paul Moore wrote:
> The GSS layer should enforce the obedience of this flag. In the current
> MIT gss code it does not. This is very bad (we have reported this
> before). The KDC has set a flag saying 'don't forward this' and yet the
> MIT client code forwards it anyway. We offered a fix (we have it in
> place already) but were told 'no thanks'. I suspect that the reason the
> client side code ignores it is because the MIT KDC never sets it and so
> nobody in MIT has paid much attention to it. MS AD KDC uses it all the
> time. In fact AD's default mode is to set 'do not forward '

Paul is your patch public somewhere?
I'd be interested in testing it some.
I agree that the GSS layer should enforce it, and I think it would
indeed be very useful to delegate these decisions as much as possible to
a component that can be easily controlled by the administrator rather
than hoping the apps to honor it by their own choice..


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list