[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
Simo Sorce
simo at redhat.com
Thu Aug 24 17:36:29 UTC 2017
On Thu, 2017-08-24 at 15:11 +0200, Stefan Metzmacher wrote:
> Hi Simo,
>
> > > I guess the proposed credential option is necessary, in that
> > > case.
> > >
> >
> > I think in this case ignoring the flag should probably be
> > conditional
> > to whether a PAC is present.
>
> We should enforce a PAC always to be present, as we don't support
> trusted domains with LSA_TRUST_TYPE_MIT anyway.
In samba, yes, but that option can be used in other clients that can
connect to multiple types of servers so in case they do not get a PAC
the flag should be respected.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
More information about the samba-technical
mailing list