[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] Clarification request on cross-realm RBCD in MS-SFU 3.2.5.2.2
From: Isaac Boukris via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2020-01-28 13:30:23
Message-ID: CAC-fF8RHa0YozzwRF6jc2PYYZ1cmRVaWOvDw+XX85Obs0xgFuw () mail ! gmail ! com
[Download RAW message or body]
Hi again,
On Sun, Jan 26, 2020 at 1:57 PM Isaac Boukris <iboukris@gmail.com> wrote:
>
> When a KDC replies with Service Ticket (MS-SFU 3.2.5.2.2), how does it
> determine the reply cname and crealm.
>
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ce6bbf34-0f11-40d6-93d1-165a3afa0223
>
> Per the above doc, it sounds like it should be the cname and crealm
> from the additional-ticket, however in RBCD, when the
> additional-ticket is a cross-tgt the cname and cream are of service-1
> and not of the impersonated client.
>
> In contrast, I've observed that Windows KDC constructs the
> impersonated client's principal name from the PAC, and set the reply
> cname and crealm to that principal's. However, I can't find any clear
> document that reflects it.
I've sent this over the weekend, and perhaps got lost.
In short, I think MS-SFU 3.2.5.2.2 section was not updated for
cross-realm RBCD, as other parts of the document. Please review and
assign :)
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic