[20023] in Kerberos_V5_Development
Re: The PAC must be the first ad-element
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Mon Feb 3 05:17:31 2020
MIME-Version: 1.0
In-Reply-To: <CAC-fF8SeFP+3yL8aa_ZcBEeOmSjMgBh7_a4O=4+d090FzD4HEQ@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 3 Feb 2020 11:16:01 +0100
Message-ID: <CAC-fF8RuddLzg=sOGTnVtmPPmmSqag9-1G64HWkEmuk7m=K8Xw@mail.gmail.com>
To: krbdev@mit.edu, Alexander Bokovoy <ab@samba.org>,
Andreas Schneider <asn@samba.org>, Greg Hudson <ghudson@mit.edu>,
rharwood@redhat.com, Andrew Bartlett <abartlet@samba.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Feb 3, 2020 at 10:32 AM Isaac Boukris <iboukris@gmail.com> wrote:
>
> On Sat, Feb 1, 2020 at 2:05 AM Isaac Boukris <iboukris@gmail.com> wrote:
> >
> > Interestingly, in the trust case if the PAC is the first element the
> > trusted windows KDC would remove the other element and leave only the
> > PAC (if the other element was first, then it is not removed but it
> > breaks service access).
>
> This makes me think we may need a way to suppress some ad-types from
> the request, which I think is not possible with the current API. If
Actually in that trust case it's the tgt authdata that got suppressed
not request, but the idea is the same.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
