[20022] in Kerberos_V5_Development
Re: The PAC must be the first ad-element
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Mon Feb 3 04:32:56 2020
MIME-Version: 1.0
In-Reply-To: <CAC-fF8SCnaRDwLa3h1iwZJVKnVrFXGdWHSBDvh0uSxX90t_ooA@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 3 Feb 2020 10:32:20 +0100
Message-ID: <CAC-fF8SeFP+3yL8aa_ZcBEeOmSjMgBh7_a4O=4+d090FzD4HEQ@mail.gmail.com>
To: krbdev@mit.edu, Alexander Bokovoy <ab@samba.org>,
Andreas Schneider <asn@samba.org>, Greg Hudson <ghudson@mit.edu>,
rharwood@redhat.com, Andrew Bartlett <abartlet@samba.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Sat, Feb 1, 2020 at 2:05 AM Isaac Boukris <iboukris@gmail.com> wrote:
>
> Interestingly, in the trust case if the PAC is the first element the
> trusted windows KDC would remove the other element and leave only the
> PAC (if the other element was first, then it is not removed but it
> breaks service access).
This makes me think we may need a way to suppress some ad-types from
the request, which I think is not possible with the current API. If
so, maybe we could add an out a param to sign_authdata() with a list
of ad-types to filter out.
In contrast, perhaps we can reduce the number of passed arguments by
mandating the use of krb5_db_get_authdata_info(), and not passing
header_server and header_key.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
