Cross realm S4U2Self cont.
Stefan Metzmacher
metze at samba.org
Fri Aug 3 14:33:51 UTC 2018
Hi Isaac,
I'm currently too busy to deeply follow your work, sorry!
I hope I got the chance in the next weeks...
> Note that unlike what I said initially, transitive trust still does
> not work (only direct trust). I thought it worked when I was testing
> with kgetcred against windows but when I try to actually accept the
> ticket by the service, it fails at krb5_check_transited(). Also, there
> seem to be the same issue on the KDC side when Samba KDC is in a the
> trust path.
Have a look at this thread:
http://mailman.mit.edu/pipermail/krbdev/2017-August/thread.html#12791
We need to get something like this:
gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X)
in order to disable the check.
Which can be used if the application requires a validated PAC.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180803/ad58d486/signature.sig>
More information about the samba-technical
mailing list