[20011] in Kerberos_V5_Development
Re: [kitten] Checking the transited list of a kerberos ticket in a
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jan 23 11:16:24 2020
To: Stefan Metzmacher <metze=40samba.org@dmarc.ietf.org>,
Nico Williams
<nico@cryptonector.com>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu>
Date: Thu, 23 Jan 2020 11:15:32 -0500
MIME-Version: 1.0
In-Reply-To: <5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org>
Content-Language: en-US
Cc: kitten@ietf.org, "heimdal-discuss@sics.se" <heimdal-discuss@sics.se>,
Samba Technical <samba-technical@lists.samba.org>,
"krbdev@mit.edu Dev
List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
> it would be great if we could make some progress here...
Does this need to be an application flag, or can it be in the krb5.conf
realm configuration? Presumably people are currently working around
this by setting [capaths] on the server; a realm variable would simplify
this workaround by not requiring specific knowledge of the domain geometry.
I reviewed the thread, and it sounds like the current understanding is
that AD applies a transited check (of sorts) to cross-realm tickets, but
doesn't say so by setting the transit-policy-checked flag in the
ticket. From the upstream point of view the server's realm
configuration is in a better position to know that the realm is an AD
realm than the server application; perhaps that is not true from Samba's
point of view, but I thought I would check.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
