[19635] in Kerberos_V5_Development
Re: [kitten] Checking the transited list of a kerberos ticket in a
daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Thu Aug 24 09:11:41 2017
To: Simo Sorce <simo@redhat.com>, Greg Hudson <ghudson@mit.edu>,
heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
"kitten@ietf.org" <kitten@ietf.org>,
Samba Technical <samba-technical@lists.samba.org>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
Date: Thu, 24 Aug 2017 15:11:16 +0200
MIME-Version: 1.0
In-Reply-To: <1503578184.3428.19.camel@redhat.com>
Content-Type: multipart/mixed; boundary="===============7379549447136254385=="
Errors-To: krbdev-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============7379549447136254385==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="3V9pwCB94eJpShPt1V5HKEaEoTkekOP32"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3V9pwCB94eJpShPt1V5HKEaEoTkekOP32
Content-Type: multipart/mixed; boundary="lc9efAcpK1OUdNrIMDoJK1vUevOhJKhoI";
protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Simo Sorce <simo@redhat.com>, Greg Hudson <ghudson@mit.edu>,
heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
"kitten@ietf.org" <kitten@ietf.org>,
Samba Technical <samba-technical@lists.samba.org>
Message-ID: <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a
transitive cross-realm trust situation...
References: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org>
<649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu>
<33c431f5-c36b-c321-de3f-65977d8aa898@samba.org>
<007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu>
<69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org>
<ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu>
<1503578184.3428.19.camel@redhat.com>
In-Reply-To: <1503578184.3428.19.camel@redhat.com>
--lc9efAcpK1OUdNrIMDoJK1vUevOhJKhoI
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Hi Simo,
>> I guess the proposed credential option is necessary, in that case.
>>
>=20
> I think in this case ignoring the flag should probably be conditional
> to whether a PAC is present.
We should enforce a PAC always to be present, as we don't support
trusted domains with LSA_TRUST_TYPE_MIT anyway.
metze
--lc9efAcpK1OUdNrIMDoJK1vUevOhJKhoI--
--3V9pwCB94eJpShPt1V5HKEaEoTkekOP32
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJZntB3AAoJEA219WEoab1WeBgQAIO4n8HBpj69AZnYyyUrORDc
d39uVAUjjSsOFxVCSdC1p2U6UH+vHQ3TU5FrNIS4+YsZ4+Q3yW9pUwo7MyxGCtcV
kjGHt7mdjid7q2qQ/5xjc6NSBw0tlpwBC/pYDsOdGbF7cRny5ZePyPGsFHhRpCNt
arVyHLrdab5em8Ni4RDP+Ux7n+SGFr8XLoLD66gL9fTrEj3TimKcC07yf+47jt5u
G2vz+GLVWB04gJJDPneez6CaSMQgp1v/aoz4wO9XklTHS/kqa9CgN/fmEu2CSoor
yJWwYSWxJdw+biFIRtMyxLNSz+AMk5dYqgBeEG6m5JKf3Qy/4yBw7envpP7IaFv4
EM5PMtiGSFEl7QfAipHBmCUKnnQlqIeQtsfWTtMw0eu/QBiW5pm5Qlh6K947pGkn
3CdL+QSWV2rmuG2urgOVVNgQ5RFs67gVRi5rWtYAb2iWmOKsRt8K70pI2xaFCLin
ZqChGQD43Uum+hBekFLIrTa2EGkK7HeyOGwOipyruaPd2QKBkPkr4gmsmho13uP+
wKN0iQMXXj8Y3JrHunKVoBYOUdMtOyn/fRYEmy2YHLNRLl7+nGyOXKEzZKLSvLvp
NH1vVqYGoSxCAW9f++B5fQupA4QeGi6nBvG22cEy0MlsXjEXJbtmIpbKdM9SAyIg
H4E2rLsWyT6drUCEiZF8
=nLfj
-----END PGP SIGNATURE-----
--3V9pwCB94eJpShPt1V5HKEaEoTkekOP32--
--===============7379549447136254385==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============7379549447136254385==--