Project

General

Profile

Bug #6979

smbadm join should not try to set TRUSTED_FOR_DELEGATION

Added by Paul Henson over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
cifs - CIFS server and client
Start date:
2016-05-17
Due date:
% Done:

0%

Estimated time:
Difficulty:
Bite-size
Tags:
needs-triage
Gerrit CR:

Description

For reasons evidentially lost to history, smbadm currently tries to enable the TRUSTED_FOR_DELEGATION flag on the active directory machine account it creates when joining a domain. This flag allows an account to take a set of credentials that were used to authenticate to a service it is providing and then turn around and use those same credentials to authenticate to another service as that user, which is very sensitive from a security perspective. There's really no reason a simple file member server should have this great level of privilege, and it drastically increases the potential impact of that server being compromised.

That code should probably just be removed, and in the unlikely scenario a use case pops up that requires it, a domain administrator can enable it via the active directory users and computers admin interface, which also allows restricting the level of delegation and other parameters which make it safer to use.

No data to display

Also available in: Atom PDF