[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Simo Sorce simo at redhat.com
Thu Aug 24 17:36:29 UTC 2017


On Thu, 2017-08-24 at 15:11 +0200, Stefan Metzmacher wrote:
> Hi Simo,
> 
> > > I guess the proposed credential option is necessary, in that
> > > case.
> > > 
> > 
> > I think in this case ignoring the flag should probably be
> > conditional
> > to whether a PAC is present.
> 
> We should enforce a PAC always to be present, as we don't support
> trusted domains with LSA_TRUST_TYPE_MIT anyway.

In samba, yes, but that option can be used in other clients that can
connect to multiple types of servers so in case they do not get a PAC
the flag should be respected.

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc




More information about the samba-technical mailing list