[20013] in Kerberos_V5_Development
Re: [kitten] Checking the transited list of a kerberos ticket in a
daemon@ATHENA.MIT.EDU (Alexander Bokovoy)
Thu Jan 23 11:39:13 2020
Date: Thu, 23 Jan 2020 18:38:54 +0200
From: Alexander Bokovoy <abokovoy@redhat.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20200123163854.GS1579623@redhat.com>
MIME-Version: 1.0
In-Reply-To: <20200123162832.GR1579623@redhat.com>
Content-Disposition: inline
Cc: Stefan Metzmacher <metze=40samba.org@dmarc.ietf.org>,
"heimdal-discuss@sics.se" <heimdal-discuss@sics.se>,
Samba Technical <samba-technical@lists.samba.org>,
"krbdev@mit.edu Dev List" <krbdev@mit.edu>, kitten@ietf.org,
Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On to, 23 tammi 2020, Alexander Bokovoy wrote:
>On to, 23 tammi 2020, Greg Hudson wrote:
>>On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>>>it would be great if we could make some progress here...
>>
>>Does this need to be an application flag, or can it be in the krb5.conf
>>realm configuration? Presumably people are currently working around
>>this by setting [capaths] on the server; a realm variable would simplify
>>this workaround by not requiring specific knowledge of the domain geometry.
>>
>>I reviewed the thread, and it sounds like the current understanding is
>>that AD applies a transited check (of sorts) to cross-realm tickets, but
>>doesn't say so by setting the transit-policy-checked flag in the
>>ticket. From the upstream point of view the server's realm
>>configuration is in a better position to know that the realm is an AD
>>realm than the server application; perhaps that is not true from Samba's
>>point of view, but I thought I would check.
>
>From FreeIPA perspective we known inside KDB driver that a particular
>realm belongs to one of trusted AD forests so we can provide this
>information to KDC dynamically. Perhaps Samba AD can do the same?
>
>If so, may be some KDB API extension can help?
I totally missed that this is a server side. Isaac explained the issue
to me, sorry for the suggestion that doesn't apply here. ;)
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
