[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
simo at redhat.com
Thu Aug 24 23:10:17 UTC 2017
On Fri, 2017-08-25 at 00:29 +0200, Stefan Metzmacher wrote:
> Am 24.08.2017 um 22:47 schrieb Viktor Dukhovni:
> > [ Just kitten, as either not subcribed or subscribed with a
> > different
> > address to some of the other lists. ]
> > > On Aug 24, 2017, at 1:36 PM, Simo Sorce <simo at redhat.com> wrote:
> > >
> > > > We should enforce a PAC always to be present, as we don't
> > > > support
> > > > trusted domains with LSA_TRUST_TYPE_MIT anyway.
> > >
> > > In samba, yes, but that option can be used in other clients that
> > > can
> > > connect to multiple types of servers so in case they do not get a
> > > PAC
> > > the flag should be respected.
> > Does the Kerberos library know whether whether the application is
> > going
> > to look at PACs and SIDs or just use the client principal name? I
> > am
> > guessing it does not. Thus in Samba, one might need a dedicated
> > krb5.conf configuration file that disables the transit
> > check. Other
> > applications should still apply transit check even if a PAC happens
> > to be present, as AFAIK it may well remain unused.
> My idea was that Samba would use
> gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) to indicate
> the the transited list should not be checked.
It's my idea as well, but if you are operating in a mixed environment
and the ticket happens to come without a PAC the transited list should
probably be checked instead. A service *may* decide to bail out if no
PAC is present but it shouldn't have to.
Sr. Principal Software Engineer
Red Hat, Inc
More information about the samba-technical