| + |
Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service. |
| + |
The risks of impersonation of the client are similar to the well known risks from forwarding of NTLM credentials, with two important differences: |
| + |
- NTLM forwarding can and should be mitigated with packet signing |
| + |
- Kerberos forwarding can only be attempted after the trusted destination server decrypts the ticket. |