[cifs-protocol] [120012821001594] [MS-SFU]Errata from 2019/12/09 - if RBCD bit is set should KDC match in ServicesAllowedToReceiveForwardedTicketsFrom

[Hung-Chun Yu]

+Support [cc]
-dochelp [bcc]

Hi Isaac

Thank you for your question.  We created SR 120012821001594 and please leave this info in the subject line to track your issue.  An engineer will contact you soon.

Hung-Chun Yu
Microsoft Protocols Support


________________________________
From: Isaac Boukris <iboukris at gmail.com>
Sent: Tuesday, January 28, 2020 9:10 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; Greg Hudson <ghudson at mit.edu>; cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
Subject: [EXTERNAL] Clarification request on recent errata of MS-SFU from 2019/12/09

Hello dochelp,

I noticed some changes to MS-SFU with regard to S4U2Proxy.
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2F68c4fd08-207c-4353-b59d-4d281edfb6bf&data=02%7C01%7CHungChun.Yu%40microsoft.com%7Ce12ab5b14189455d889c08d7a41528cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637158283089556045&sdata=j%2FAypN1BjcAbfUrMUwbfqMk41QXw4E2m3pUXMBN%2BAEI%3D&reserved=0

The changes mostly makes sense, apart from the following new section
I'm having hard time with, quote:

If the service ticket in the additional-tickets field is not set to
forwardable<19> and the PA-PAC-OPTIONS [167] ([MS-KILE] section
2.2.10) padata type has the resource-based constrained delegation bit
set, then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NO_MATCH.

Unquote.

If the RBCD bit is set, shouldn't the KDC try to match in
ServicesAllowedToReceiveForwardedTicketsFrom, as it follows in the
document ?

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200128/d9a175a2/attachment.htm>