[19639] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: [kitten] Checking the transited list of a kerberos ticket in a

daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Aug 24 13:36:47 2017

Message-ID: <1503596189.3428.26.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Stefan Metzmacher <metze@samba.org>, Greg Hudson <ghudson@mit.edu>,
        heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
        "kitten@ietf.org" <kitten@ietf.org>,
        Samba Technical <samba-technical@lists.samba.org>
Date: Thu, 24 Aug 2017 13:36:29 -0400
In-Reply-To: <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Thu, 2017-08-24 at 15:11 +0200, Stefan Metzmacher wrote:
> Hi Simo,
> 
> > > I guess the proposed credential option is necessary, in that
> > > case.
> > > 
> > 
> > I think in this case ignoring the flag should probably be
> > conditional
> > to whether a PAC is present.
> 
> We should enforce a PAC always to be present, as we don't support
> trusted domains with LSA_TRUST_TYPE_MIT anyway.

In samba, yes, but that option can be used in other clients that can
connect to multiple types of servers so in case they do not get a PAC
the flag should be respected.

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post