[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
Greg Hudson
ghudson at mit.edu
Thu Aug 24 00:38:07 UTC 2017
On 08/23/2017 07:01 PM, Stefan Metzmacher wrote:
>> I think we should first consider whether it would be sufficient for MIT
>> krb5 to suppress the rd_req transited check if the
>> TRANSITED-POLICY-CHECKED flag is set in the ticket. MIT and Heimdal
>> KDCs both appear to perform the transited check and set the flag by default.
>
> But Windows KDCs doesn't set this bit (I guess because it's just not
> useful).
I don't agree at all that the bit isn't useful. That bit is how a KDC
communicates that it vouches for the transited path. Unfortunately, you
do appear to be correct about Windows KDCs. MS-KILE says:
The TRANSITED-POLICY-CHECKED flag ([RFC4120] section 2.7): KILE
MUST NOT check for transited domains on servers or a KDC.
Application servers MUST ignore the TRANSITED-POLICYCHECKED flag.
which basically means Microsoft has declined to conform to RFC 4120 in
this area, instead requiring servers to implement PACs to interoperate
in a cross-realm environment.
I guess the proposed credential option is necessary, in that case.
More information about the samba-technical
mailing list