[20538] in Kerberos_V5_Development
Re: Split IAKERB for local KDCs cross-realm setup?
daemon@ATHENA.MIT.EDU (Alexander Bokovoy via krbdev)
Fri Mar 28 15:41:41 2025
Date: Fri, 28 Mar 2025 21:40:59 +0200
To: Nico Williams <nico@cryptonector.com>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Message-ID: <Z+b7S9od/4CLFaxA@redhat.com>
MIME-Version: 1.0
In-Reply-To: <Z+bzYusV9yjIOhyz@ubby>
Content-Disposition: inline
From: Alexander Bokovoy via krbdev <krbdev@mit.edu>
Reply-To: Alexander Bokovoy <abokovoy@redhat.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Пят, 28 сак 2025, Nico Williams wrote:
>On Fri, Mar 28, 2025 at 08:55:43PM +0200, Alexander Bokovoy via krbdev wrote:
>> [... stuff about KDCs accessed over Unix domain sockets ...]
>
>Sure, if you know this (local configuration) or can trivially test for
>this then that's cheap and timeout-free. (Is the AF_LOCAL server a
>proxy? I guess it would be.)
>
>Presumably the initiator can also know about its start TGT's realm's
>KDC's reachability if it acquired it itself.
>
>"Prestashing" is a technique where tickets are orchestrated into place
>where they are needed, and in those cases the initiator needs a clue as
>to whether the start realm's KDCs are reachable. But if the initiator's
>start TGT came from an AS exchange done locally w/o IAKERB then the
>initiator can know this (e.g., as an attribute in the ccache file) and
>just try contacting that realm's KDCs directly.
>
>Don't forget that we could use ccconfig entries for some of these
>things, so even in the prestash case clues can be given to the
>initiator. And the ccache and its config entries can be used to track
>failures to reach KDCs so that at least retries can go differently even
>if that yields a sucky UX.
Yes, there is already a precedent with the GSSAPI krb5 mech acceptor
which stores the "start_realm" of the delegated TGT in case it is not
the same as the server's realm.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
