[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
Simo Sorce
simo at redhat.com
Thu Aug 24 12:36:24 UTC 2017
On Wed, 2017-08-23 at 20:38 -0400, Greg Hudson wrote:
> On 08/23/2017 07:01 PM, Stefan Metzmacher wrote:
> > > I think we should first consider whether it would be sufficient
> > > for MIT
> > > krb5 to suppress the rd_req transited check if the
> > > TRANSITED-POLICY-CHECKED flag is set in the ticket. MIT and
> > > Heimdal
> > > KDCs both appear to perform the transited check and set the flag
> > > by default.
> >
> > But Windows KDCs doesn't set this bit (I guess because it's just
> > not
> > useful).
>
> I don't agree at all that the bit isn't useful. That bit is how a
> KDC
> communicates that it vouches for the transited path. Unfortunately,
> you
> do appear to be correct about Windows KDCs. MS-KILE says:
>
> The TRANSITED-POLICY-CHECKED flag ([RFC4120] section 2.7): KILE
> MUST NOT check for transited domains on servers or a KDC.
> Application servers MUST ignore the TRANSITED-POLICYCHECKED flag.
>
> which basically means Microsoft has declined to conform to RFC 4120
> in
> this area, instead requiring servers to implement PACs to
> interoperate
> in a cross-realm environment.
>
> I guess the proposed credential option is necessary, in that case.
>
I think in this case ignoring the flag should probably be conditional
to whether a PAC is present.
My2c.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
More information about the samba-technical
mailing list