[20014] in Kerberos_V5_Development
Re: [kitten] Checking the transited list of a kerberos ticket in a
daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Fri Jan 24 13:50:40 2020
To: Greg Hudson <ghudson@mit.edu>, Nico Williams <nico@cryptonector.com>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org>
Date: Fri, 24 Jan 2020 19:49:37 +0100
MIME-Version: 1.0
In-Reply-To: <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu>
Cc: kitten@ietf.org, Samba Technical <samba-technical@lists.samba.org>,
"krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: multipart/mixed; boundary="===============1974492761904064186=="
Errors-To: krbdev-bounces@mit.edu
--===============1974492761904064186==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="LxF0Z974iCZU7T90v4oJNAfxKO60yEMcU"
--LxF0Z974iCZU7T90v4oJNAfxKO60yEMcU
Content-Type: multipart/mixed; boundary="iRx9yIe5JwdJWumD27fqMuChggaz5M9QJ";
protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Greg Hudson <ghudson@mit.edu>, Nico Williams <nico@cryptonector.com>
Cc: Samba Technical <samba-technical@lists.samba.org>,
"krbdev@mit.edu Dev List" <krbdev@mit.edu>, kitten@ietf.org
Message-ID: <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a
transitive cross-realm trust situation...
References: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org>
<ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu>
<1503578184.3428.19.camel@redhat.com>
<db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
<1503596189.3428.26.camel@redhat.com>
<F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org>
<8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org>
<cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org>
<20191121223908.GC26241@localhost>
<22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org>
<20191122224526.GA28614@localhost>
<8b72197d-2fcc-5b4f-4392-12d53d1ec624@samba.org>
<5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org>
<3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu>
In-Reply-To: <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu>
--iRx9yIe5JwdJWumD27fqMuChggaz5M9QJ
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Hi Greg,
> On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>> it would be great if we could make some progress here...
>=20
> Does this need to be an application flag, or can it be in the krb5.conf=
> realm configuration? Presumably people are currently working around
> this by setting [capaths] on the server; a realm variable would simplif=
y
> this workaround by not requiring specific knowledge of the domain geome=
try.
>=20
> I reviewed the thread, and it sounds like the current understanding is
> that AD applies a transited check (of sorts) to cross-realm tickets, bu=
t
> doesn't say so by setting the transit-policy-checked flag in the
> ticket.=20
Exactly.
> From the upstream point of view the server's realm
> configuration is in a better position to know that the realm is an AD
> realm than the server application; perhaps that is not true from Samba'=
s
> point of view, but I thought I would check.
In Samba we know that we're joined to an AD domain
and then we want to force disabling the transited check
for gss_accept_sec_context().
For Samba as AD DC we want also want to disable this for
krb5_rd_req_decoded in the KDC too.
A krb5.conf option would also be good in order to support
non-samba services in AD-Domains. But the c library should also
support changing it at runtime.
metze
--iRx9yIe5JwdJWumD27fqMuChggaz5M9QJ--
--LxF0Z974iCZU7T90v4oJNAfxKO60yEMcU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfFbGo3YXpfgryIw9DbX1YShpvVYFAl4rPEEACgkQDbX1YShp
vVZJfw//e+L7fDBHia970YihEOIdwZesgAukiXofB6OQ0ivT9zysNhlBHoryT8Ft
hMucbC1zwz+yIzAjFHcE/QCjf/7Ya/dTTbP0Fqi1JB29YumiqyNNpjrZy4Dirh06
aiSuNneDhee3dPINBmi+mFNSF7ZjNJFyr/Bt1DmIdx1a7MNrwNColKCFdsX7VK9g
0xgU/xfpNhgddg0YaJaGIWHM6TxoVp5tf/2mMIhIDTk9X7rOkez0/QMOi0VzwX8J
E4Ls5Kogn/VO/sqkBufr8DI8hVf5T23y9q+gDchUOnw7g+1bHlmY9KdoiBZcKvPI
y6Rw1dYH5a20/hpYtvedIQPlT2hmZ+ulgJ6RYNH30RR8cB0nlavNCTgdy9xW6IZQ
5t/+NCuYM8R5bmklZQ2l/Jn8bitHH2UKfjVJEN1pNiMpBToEHJfg81NtVMzagDLc
6XLsQp/jXRro5Fp8AKsawECqSSF1P9rUDFbPqPXcRUeW21JB0FDwXQ9AFHw8HhBf
Ru4LcvqqZqWdvCDeJtY/JyOfy2J4jxMQZaMVi963qU4+TCi3vLykpRTgRdiWx8VU
rkVIJzJDLI5t4uu+bTEkc0+Z5LFyMOYtps+Zk9VuPqUVnioZbny44Vdpos0HWHCD
c9i/oLI/3wobIq2wLIqQtmZ/vpYQKKAxA2hBY63iUsBIhb4wYqw=
=NcHh
-----END PGP SIGNATURE-----
--LxF0Z974iCZU7T90v4oJNAfxKO60yEMcU--
--===============1974492761904064186==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============1974492761904064186==--
