[19832] in Kerberos_V5_Development
Re: kdc: cross realm s4u2self handling
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Tue Oct 2 13:09:03 2018
MIME-Version: 1.0
In-Reply-To: <CAC-fF8RUgZnE9AZTjSeWsD_OPHq-wAXEyzdr3xErKM+3Vo2Jtg@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 2 Oct 2018 22:33:18 +0530
Message-ID: <CAC-fF8RpfEkGJA2gCUWnEkJyMmaX5uS9hoS8-oKrVrMqajRhOg@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi Greg,
On Fri, Sep 21, 2018 at 8:20 AM Isaac Boukris <iboukris@gmail.com> wrote:
>
> On Thu, Sep 20, 2018 at 4:03 AM, Greg Hudson <ghudson@mit.edu> wrote:
> > It occurs to me that a within-realm S4U2Self request (i.e. one using a local
> > TGT header ticket rather than a cross-TGT one) should still fail if it
> > results in a referral. I will try to put together a test case for that.
>
> I see, though I'm not sure I understand how this would happen.
>
> At any case, would it suffice to condition the check on:
> is_local_principal(kdc_active_realm, header_ticket->server)
> Or perhaps on (are those two necessarily equivalent here btw?):
> !is_cross_tgs_principal(header_ticket->server)
>
>
> Note, in case of a local TGT header ticket, I think we could add:
> if (client == NULL)
> KRB5KDC_ERR_POLICY;
> The client here being the principal to impersonate, which must be
> local in that case.
>
> This would help to return the same error as Windows in case when bad
> implementation (e.g. current heimdal), use a local TGT to request a
> s4u2self ticket from its own KDC on behalf of a foreign principal.
> I'll need to add that logic to my heimdal kdc changes as well, as
> currently it only fails there on PAC logon-name mismatch.
I've submitted PR #853 to follow up on this. I have tested it manually
in trust with Windows, and will try to add a test case in t_s4u for it
(without PAC, as I've suggested).
If there are other tests you have in mind, I can try to implement as well.
I hope this seems reasonable.
Thanks!
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
