[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-security-dev
Subject:    Re: RFR 8005819: Support cross-realm MSSFU
From:       Martin Balao <mbalao () redhat ! com>
Date:       2019-11-04 18:14:49
Message-ID: 45c49fe0-833b-68c8-956e-e262030e64e6 () redhat ! com
[Download RAW message or body]

Hi Michael,

On 11/3/19 4:54 PM, Michael Osipov wrote:
> 
> Yes, sure. The spot just made we wonder. My understanding for S4U2self
> (my knowledge is limited to the AD KDC, may be different in MIT
> Kerberos). You may or may not sign onto a service with Kerberos, the
> service (HTTP/host@REALM) knows your UPN (client1@REALM). Now the
> service wants to connect to a PostgreSQL DB with your credentials by
> using S4U2self and then S4U2proxy. Since the SPN HTTP/host@REALM is
> bound to either a machine account (server1$@REALM) or service account
> (service@REALM) you have to impersonate with that account and not with
> the SPN, then as soon as you have the TGT, you can request the sevice
> ticket for the target service.
> The confusion was 'sname' combined with 'PrincipalName.KRB_NT_PRINCIPAL'.
> 

Thanks for your clarification. My understanding is that you are
referring to line 546 of webrev.01 [1]. 'sname' is the backend service
name. As you well pointed out, it won't be of KRB_NT_PRINCIPAL type. In
addition to that, there is no need to create a new sname PrincipalName
there because we can use the instance received by parameter and it is
not mutable. This has been addressed in webrev.02 [2].

Thanks,
Martin.-

--
[1] -
http://cr.openjdk.java.net/~mbalao/webrevs/8005819/8005819.webrev.01/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java.sdiff.html
 [2] -
http://cr.openjdk.java.net/~mbalao/webrevs/8005819/8005819.webrev.02/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java.sdiff.html



[prev in list] [next in list] [prev in thread] [next in thread]