[19905] in Kerberos_V5_Development
Re: Implementing RBCD
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Mar 21 18:49:09 2019
To: Isaac Boukris <iboukris@gmail.com>, <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <83118f72-5875-57f0-2149-04b0285e45a5@mit.edu>
Date: Thu, 21 Mar 2019 18:48:46 -0400
MIME-Version: 1.0
In-Reply-To: <CAC-fF8SWc3=0T27gD+UOPpP4Ohbv++kQ3yFbiMrkKJi-ZKoBcg@mail.gmail.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 3/21/19 6:20 PM, Isaac Boukris wrote:
> [notes: both these requirements are challenging:
> The first would involve full decoding of the PAC, while I think it
> could be a good idea to have it in krb5 library (for other purposes as
> well), I only have a vague idea of what NDR decoding actually means,
> and as far as I remember Greg was not fond of this idea in the past.
I could be okay with this if NDR isn't too hard to decode.
> The second requirement involves an RPC call (as per MS-KILE) but here
> as well I think we could skip it and just try other KDCs in case of
> error.]
I don't think our current sendto_kdc code makes it easy to cycle through
the KDCs on error. I'd be okay with saying that our side of rbkcd
doesn't work if you have pre-2012 DCs.
> My planning is currently as follows:
> - implement the client code properly, I think it might be a good idea
> to move some logic from get_creds.c to s4u_creds.c to simplify it
> (especially the referral-chasing), but I'm still unclear.
> - add basic KDC support, leaving authdata handling to KDB plugin (but
> we might need to provide it with more info).
> - add tests, possibly using own authdata implementation (similar to
> what I experiment with in PR 894).
> - manually test windows clients against MIT KDC by plugging it with (a
> patched) SambaAD (I'd also try to test trust with Windows KDC).
This seems reasonable.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
