[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [EXTERNAL] Re: Kerberos Constrained-Delegation in RODC environment - TrackingID#
From: Isaac Boukris via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2021-10-20 17:27:24
Message-ID: CAC-fF8T8ej00wScFEEwQv3T2sjrUHRk25xgeUhUd79ou2b3J7Q () mail ! gmail ! com
[Download RAW message or body]
Hi Sreekanth,
Thanks for investigating this.
On Wed, Oct 20, 2021 at 8:06 PM Sreekanth Nadendla
<srenaden@microsoft.com> wrote:
>
> In order for this to work the user must have authenticated to an RODC to get their \
> RODC TGT. Then that user must have privileges to access a server outside the RODC \
> environment, such that the server gets a TGT from a RWDC. Then the user must \
> request a ticket from the RODC and get an RODC service ticket to the server \
> authenticated by the RWDC. To the best of my knowledge that last bit is the \
> sticking point. That RODC shouldn't normally be able to issue a ticket to that \
> server. That breaks the RODC security model.
That should depend on the configuration to my understanding.
> I'm still working with them for doc obligations. Will provide an update if they \
> determine whether we need to update the spec. Right now they don't seem to think we \
> have anything to update in the spec.
I must agree on that, I can't seem to find any related spec if we were
to call it an update.
Cheers
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic