[38971] in Kerberos
Re: Query regarding S4U2Self protocol extension
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Wed Aug 25 03:33:23 2021
MIME-Version: 1.0
In-Reply-To: <CAMeQEL_MsWJHZywXFF1NmHCkd1sCSLJfyGhOqUm4R1KgerjRcg@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 25 Aug 2021 10:30:24 +0300
Message-ID: <CAC-fF8QKT7RckFCps_ike73N0XE7ZyS5sxZkAebJwWKn8NjntA@mail.gmail.com>
To: Vipul Mehta <vipulmehta.1989@gmail.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Vipul,
On Wed, Aug 25, 2021 at 6:12 AM Vipul Mehta <vipulmehta.1989@gmail.com> wrote:
>
> I have one more query on this based on following statement in microsoft document:
>
> "If a non forwardable S4U2self-generated user's service ticket for a nonsensitive user is used, then the SFU client SHOULD<11> locate a DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 3.2.5.3) to send the request."
>
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
>
> Is this implemented in the MIT Kerberos client ?
No it isn't, we just assume all the KDCs support RBCD.
I think this has become less relevant now that RBCD requires the
forwardable flag as well [1]. I guess this doc should be updated too.
[1] https://lists.samba.org/archive/cifs-protocol/2021-July/003608.html
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
