[cifs-protocol] [120012821001594] [MS-SFU]Errata from 2019/12/09 - if RBCD bit is set should KDC match in ServicesAllowedToReceiveForwardedTicketsFrom

Sreekanth Nadendla srenaden at microsoft.com
Tue Jan 28 21:07:08 UTC 2020 

Hello Isaac, I'm researching this issue for you. I will provide you with an update as soon as I have some details to share with you.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications


________________________________
From: Isaac Boukris <iboukris at gmail.com<mailto:iboukris at gmail.com>>
Sent: Tuesday, January 28, 2020 9:10 AM
To: Interoperability Documentation Help <dochelp at microsoft.com<mailto:dochelp at microsoft.com>>; Greg Hudson <ghudson at mit.edu<mailto:ghudson at mit.edu>>; cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>
Subject: [EXTERNAL] Clarification request on recent errata of MS-SFU from 2019/12/09

Hello dochelp,

I noticed some changes to MS-SFU with regard to S4U2Proxy.
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2F68c4fd08-207c-4353-b59d-4d281edfb6bf&data=02%7C01%7CHungChun.Yu%40microsoft.com%7Ce12ab5b14189455d889c08d7a41528cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637158283089556045&sdata=j%2FAypN1BjcAbfUrMUwbfqMk41QXw4E2m3pUXMBN%2BAEI%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2F68c4fd08-207c-4353-b59d-4d281edfb6bf&data=02%7C01%7Csrenaden%40microsoft.com%7C3f27c4046ddc4a034da508d7a41ed7eb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637158324691654419&sdata=PLSx1WB2MfLUXSzogEk3J9S3pkoN9HJZlzaCQh2c8XQ%3D&reserved=0>

The changes mostly makes sense, apart from the following new section
I'm having hard time with, quote:

If the service ticket in the additional-tickets field is not set to
forwardable<19> and the PA-PAC-OPTIONS [167] ([MS-KILE] section
2.2.10) padata type has the resource-based constrained delegation bit
set, then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NO_MATCH.

Unquote.

If the RBCD bit is set, shouldn't the KDC try to match in
ServicesAllowedToReceiveForwardedTicketsFrom, as it follows in the
document ?

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200128/eb9d6c93/attachment-0001.htm>

More information about the cifs-protocol mailing list