[19639] in Kerberos_V5_Development
Re: [kitten] Checking the transited list of a kerberos ticket in a
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Aug 24 13:36:47 2017
Message-ID: <1503596189.3428.26.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Stefan Metzmacher <metze@samba.org>, Greg Hudson <ghudson@mit.edu>,
heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
"kitten@ietf.org" <kitten@ietf.org>,
Samba Technical <samba-technical@lists.samba.org>
Date: Thu, 24 Aug 2017 13:36:29 -0400
In-Reply-To: <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Thu, 2017-08-24 at 15:11 +0200, Stefan Metzmacher wrote:
> Hi Simo,
>
> > > I guess the proposed credential option is necessary, in that
> > > case.
> > >
> >
> > I think in this case ignoring the flag should probably be
> > conditional
> > to whether a PAC is present.
>
> We should enforce a PAC always to be present, as we don't support
> trusted domains with LSA_TRUST_TYPE_MIT anyway.
In samba, yes, but that option can be used in other clients that can
connect to multiple types of servers so in case they do not get a PAC
the flag should be respected.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev