[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situ
From: Stefan Metzmacher <metze () samba ! org>
Date: 2020-01-24 18:49:37
Message-ID: 9062428f-f26d-4f10-b71f-f54464df2ff4 () samba ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
Hi Greg,
> On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>> it would be great if we could make some progress here...
>
> Does this need to be an application flag, or can it be in the krb5.conf
> realm configuration? Presumably people are currently working around
> this by setting [capaths] on the server; a realm variable would simplify
> this workaround by not requiring specific knowledge of the domain geometry.
>
> I reviewed the thread, and it sounds like the current understanding is
> that AD applies a transited check (of sorts) to cross-realm tickets, but
> doesn't say so by setting the transit-policy-checked flag in the
> ticket.
Exactly.
> From the upstream point of view the server's realm
> configuration is in a better position to know that the realm is an AD
> realm than the server application; perhaps that is not true from Samba's
> point of view, but I thought I would check.
In Samba we know that we're joined to an AD domain
and then we want to force disabling the transited check
for gss_accept_sec_context().
For Samba as AD DC we want also want to disable this for
krb5_rd_req_decoded in the KDC too.
A krb5.conf option would also be good in order to support
non-samba services in AD-Domains. But the c library should also
support changing it at runtime.
metze
["signature.asc" (application/pgp-signature)]
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic