[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Stefan Metzmacher metze at samba.org
Thu Aug 24 22:29:27 UTC 2017


Am 24.08.2017 um 22:47 schrieb Viktor Dukhovni:
> 
> [ Just kitten, as either not subcribed or subscribed with a different
>   address to some of the other lists. ]
> 
>> On Aug 24, 2017, at 1:36 PM, Simo Sorce <simo at redhat.com> wrote:
>>
>>> We should enforce a PAC always to be present, as we don't support
>>> trusted domains with LSA_TRUST_TYPE_MIT anyway.
>>
>> In samba, yes, but that option can be used in other clients that can
>> connect to multiple types of servers so in case they do not get a PAC
>> the flag should be respected.
> 
> Does the Kerberos library know whether whether the application is going
> to look at PACs and SIDs or just use the client principal name?  I am
> guessing it does not.  Thus in Samba, one might need a dedicated
> krb5.conf configuration file that disables the transit check.  Other
> applications should still apply transit check even if a PAC happens
> to be present, as AFAIK it may well remain unused.

My idea was that Samba would use
gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) to indicate
the the transited list should not be checked.

metze


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170825/d4049796/signature.sig>


More information about the samba-technical mailing list