[20549] in Kerberos_V5_Development
Re: Supporting custom requests for MS-NRPC
daemon@ATHENA.MIT.EDU (Alexander Bokovoy via krbdev)
Mon Sep 29 03:11:45 2025
Date: Mon, 29 Sep 2025 10:09:44 +0300
To: Greg Hudson <ghudson@mit.edu>
Cc: krbdev@mit.edu
Message-ID: <aNowuKjCWNigpbcV@redhat.com>
MIME-Version: 1.0
In-Reply-To: <0975e963-96db-4713-a8c7-e3617ef9fcc7@mit.edu>
Content-Disposition: inline
From: Alexander Bokovoy via krbdev <krbdev@mit.edu>
Reply-To: Alexander Bokovoy <abokovoy@redhat.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Пят, 26 вер 2025, Greg Hudson wrote:
>On 9/26/25 06:00, Alexander Bokovoy via krbdev wrote:
>>So I am thinking on how we can implement this in MIT Kerberos-based
>>Samba AD DC or FreeIPA domain controllers.
>
>Do these requests have to be serviced by the KDC process at all?
>Could it be a separate daemon with access to the KDB?
Since it needs access to the encrypted keys, that separate daemon would
effectively be a KDC in the sense that it will need to verify signatures
and issue a PAC content. It is a large duplicate of the feature set
provided by the KDC code.
I would consider having a separate daemon in such case a security issue
as well.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
