[20426] in Kerberos_V5_Development
Re: Using authentication indicators
daemon@ATHENA.MIT.EDU (Andrew Bartlett via krbdev)
Mon Apr 3 05:52:53 2023
Message-ID: <55f95166a04be1a4aa53001197a2ff04dfad2348.camel@samba.org>
To: Alexander Bokovoy <abokovoy@redhat.com>, Greg Hudson <ghudson@mit.edu>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, krbdev@mit.edu
Date: Mon, 03 Apr 2023 21:51:24 +1200
In-Reply-To: <ZCqfzXHNC93SX3QA@redhat.com>
MIME-Version: 1.0
From: Andrew Bartlett via krbdev <krbdev@mit.edu>
Reply-To: Andrew Bartlett <abartlet@samba.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, 2023-04-03 at 12:43 +0300, Alexander Bokovoy wrote:
> My original goal (not implemented yet) for this was to be able to inject
> PKINIT-specific authentication indicators to tickets received over
> cross-realm when PAC in the incoming cross-tgt contains indication that
> PKINIT was used by domain controller in a trusted AD domain. This would
> allow us to bridge smartcard use by AD and a lack of authentication
> indicators support by Microsoft -- FreeIPA clients would be able to see
> the proper indicator for stronger auth support in pam_sss_gss, for
> example.
I'm hoping we can somehow use AD claims for some authentication
indicator kind of tasks, perhaps with certificate-backed claims to
indicate use of PKINIT.
It is early days, but that seems to be the space we can put such an
indication in within the AD pattern.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
