[19635] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: [kitten] Checking the transited list of a kerberos ticket in a

daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Thu Aug 24 09:11:41 2017

To: Simo Sorce <simo@redhat.com>, Greg Hudson <ghudson@mit.edu>,
        heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
        "kitten@ietf.org" <kitten@ietf.org>,
        Samba Technical <samba-technical@lists.samba.org>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
Date: Thu, 24 Aug 2017 15:11:16 +0200
MIME-Version: 1.0
In-Reply-To: <1503578184.3428.19.camel@redhat.com>
Content-Type: multipart/mixed; boundary="===============7379549447136254385=="
Errors-To: krbdev-bounces@mit.edu

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============7379549447136254385==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="3V9pwCB94eJpShPt1V5HKEaEoTkekOP32"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3V9pwCB94eJpShPt1V5HKEaEoTkekOP32
Content-Type: multipart/mixed; boundary="lc9efAcpK1OUdNrIMDoJK1vUevOhJKhoI";
	protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Simo Sorce <simo@redhat.com>, Greg Hudson <ghudson@mit.edu>,
	heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
	"kitten@ietf.org" <kitten@ietf.org>,
	Samba Technical <samba-technical@lists.samba.org>
Message-ID: <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a
	transitive cross-realm trust situation...
References: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org>
	<649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu>
	<33c431f5-c36b-c321-de3f-65977d8aa898@samba.org>
	<007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu>
	<69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org>
	<ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu>
	<1503578184.3428.19.camel@redhat.com>
In-Reply-To: <1503578184.3428.19.camel@redhat.com>

--lc9efAcpK1OUdNrIMDoJK1vUevOhJKhoI
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hi Simo,

>> I guess the proposed credential option is necessary, in that case.
>>
>=20
> I think in this case ignoring the flag should probably be conditional
> to whether a PAC is present.

We should enforce a PAC always to be present, as we don't support
trusted domains with LSA_TRUST_TYPE_MIT anyway.

metze


--lc9efAcpK1OUdNrIMDoJK1vUevOhJKhoI--

--3V9pwCB94eJpShPt1V5HKEaEoTkekOP32
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJZntB3AAoJEA219WEoab1WeBgQAIO4n8HBpj69AZnYyyUrORDc
d39uVAUjjSsOFxVCSdC1p2U6UH+vHQ3TU5FrNIS4+YsZ4+Q3yW9pUwo7MyxGCtcV
kjGHt7mdjid7q2qQ/5xjc6NSBw0tlpwBC/pYDsOdGbF7cRny5ZePyPGsFHhRpCNt
arVyHLrdab5em8Ni4RDP+Ux7n+SGFr8XLoLD66gL9fTrEj3TimKcC07yf+47jt5u
G2vz+GLVWB04gJJDPneez6CaSMQgp1v/aoz4wO9XklTHS/kqa9CgN/fmEu2CSoor
yJWwYSWxJdw+biFIRtMyxLNSz+AMk5dYqgBeEG6m5JKf3Qy/4yBw7envpP7IaFv4
EM5PMtiGSFEl7QfAipHBmCUKnnQlqIeQtsfWTtMw0eu/QBiW5pm5Qlh6K947pGkn
3CdL+QSWV2rmuG2urgOVVNgQ5RFs67gVRi5rWtYAb2iWmOKsRt8K70pI2xaFCLin
ZqChGQD43Uum+hBekFLIrTa2EGkK7HeyOGwOipyruaPd2QKBkPkr4gmsmho13uP+
wKN0iQMXXj8Y3JrHunKVoBYOUdMtOyn/fRYEmy2YHLNRLl7+nGyOXKEzZKLSvLvp
NH1vVqYGoSxCAW9f++B5fQupA4QeGi6nBvG22cEy0MlsXjEXJbtmIpbKdM9SAyIg
H4E2rLsWyT6drUCEiZF8
=nLfj
-----END PGP SIGNATURE-----

--3V9pwCB94eJpShPt1V5HKEaEoTkekOP32--

--===============7379549447136254385==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

--===============7379549447136254385==--

home help back first fref pref prev next nref lref last post