A question about S4U2Self with MIT KDC
Isaac Boukris
iboukris at gmail.com
Thu Feb 7 12:10:55 UTC 2019
Thanks Alexander, I'm fine with adding the needed API, I was mainly
trying to convince my self that it is necessary.
But I don't agree that the MS-SFU is clear :)
On Thu, Feb 7, 2019 at 1:49 PM Alexander Bokovoy <ab at samba.org> wrote:
>
> 3.2.5.1.2 is clear:
>
> -----
>
> If the KDC supports the Privilege Attribute Certificate Data Structure
> [MS-PAC], the KDC, when populating the KERB_VALIDATION_INFO Structure
> ([MS-KILE] section 3.3.5.6.4.1), MUST NOT include the
> AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY SID ([MS-DTYP] section
> 2.4.2.4) in the ExtraSids field and SHOULD add the
> SERVICE_ASSERTED_IDENTITY SID ([MS-DTYP] section 2.4.2.4) instead.
>
> -----
This doesn't say anything on verifying the original PAC.
> Also 3.2.5.2 is clear:
>
> -----
>
> Service 1's KDC verifies both server ([MS-PAC] section 2.8.1) and KDC
> ([MS-PAC] section 2.8.2) signatures of the PAC. If Service 2 is in
> another domain, then its KDC verifies only the KDC signature
> of the PAC. If verification fails, the KDC MUST return
> KRB-AP-ERR-MODIFIED.
>
> -----
This one is specifically S4U2proxy only.
> These both require verification. For 3.2.5.1, KDC has to do verification
> of the PAC in the referral TGT:
>
> -----
>
> If the KDC supports the Privilege Attribute Certificate Data Structure
> [MS-PAC], a referral TGT is received and a PAC is provided, the Name
> field in the PAC_CLIENT_INFO structure MUST have the form of "client
> name at client realm".
>
> -----
This one is when the impersonate principal is not from local realm, so
a referral TGT was received that contains the PAC of the impersonate
client - which is copied to the ticket, so of course it should be
verified.
> So I think the end result is that verification of PAC has to happen for
> both in-realm and cross-realm operations. MS-KILE and MS-SFU are written
> in a such way that non-AD implementations are allowed to get away with
> no MS-PAC tickets but AD itself assumes always producing MS-PAC in the
> tickets and thus performing verification of its content.
Actually Windows KDC does not always requires the PAC, if I issue a
very similar kvno command but not involving protocol-transition, then
it works ok without PAC:
$ echo -n pwd | kinit apache at ACME.COM --no-request-pac && kvno apache at ACME.COM
More information about the samba-technical
mailing list