[19628] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: [kitten] Checking the transited list of a kerberos ticket in a

daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Aug 23 20:38:24 2017

To: Stefan Metzmacher <metze@samba.org>, heimdal-discuss@h5l.org,
        "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
        "kitten@ietf.org"
	<kitten@ietf.org>,
        Samba Technical <samba-technical@lists.samba.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu>
Date: Wed, 23 Aug 2017 20:38:07 -0400
MIME-Version: 1.0
In-Reply-To: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On 08/23/2017 07:01 PM, Stefan Metzmacher wrote:
>> I think we should first consider whether it would be sufficient for MIT
>> krb5 to suppress the rd_req transited check if the
>> TRANSITED-POLICY-CHECKED flag is set in the ticket.  MIT and Heimdal
>> KDCs both appear to perform the transited check and set the flag by default.
> 
> But Windows KDCs doesn't set this bit (I guess because it's just not
> useful).

I don't agree at all that the bit isn't useful.  That bit is how a KDC
communicates that it vouches for the transited path.  Unfortunately, you
do appear to be correct about Windows KDCs.  MS-KILE says:

    The TRANSITED-POLICY-CHECKED flag ([RFC4120] section 2.7): KILE
    MUST NOT check for transited domains on servers or a KDC.
    Application servers MUST ignore the TRANSITED-POLICYCHECKED flag.

which basically means Microsoft has declined to conform to RFC 4120 in
this area, instead requiring servers to implement PACs to interoperate
in a cross-realm environment.

I guess the proposed credential option is necessary, in that case.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post