[20439] in Kerberos_V5_Development
Re: AS-REQ service tickets
daemon@ATHENA.MIT.EDU (Andrew Bartlett via krbdev)
Thu Aug 17 16:58:10 2023
Message-ID: <21604ea9c1a353901ff1c41f2f87f1d510b9dc89.camel@samba.org>
To: John Wray <jwray@us.ibm.com>, "krbdev@mit.edu" <krbdev@mit.edu>
Date: Fri, 18 Aug 2023 08:56:05 +1200
In-Reply-To: <SA0PR15MB3838BD46D7BABB7BC9C7C1CD8C15A@SA0PR15MB3838.namprd15.prod.outlook.com>
MIME-Version: 1.0
From: Andrew Bartlett via krbdev <krbdev@mit.edu>
Reply-To: Andrew Bartlett <abartlet@samba.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, 2023-08-16 at 22:22 +0000, John Wray wrote:
> I believe it should be possible to obtain a service ticket to a
> server within the local realm directly using an AS-REQ from
> krb5_get_init_creds_keytab()/password() by specifying the target
> server name instead of the TGS in the in_tkt_service parameter.
> Has anyone noticed any change in tickets obtained this way from
> Microsoft Domain Controllers after a recent security update? None of
> the CVEs mentioned seem to relate to this KDC behavior.
Samba's tests have noticed a change in (at least) the PAC checksums for
(the server signature) in the AS-REQ to service case.
We plan to investigate soon and once the tests are updated, there will
be a good basis to suggest any change to MIT Kerberos.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
