A question about S4U2Self with MIT KDC
ab at samba.org
Thu Feb 7 13:41:48 UTC 2019
On to, 07 helmi 2019, Isaac Boukris via samba-technical wrote:
> Thanks Alexander, I'm fine with adding the needed API, I was mainly
> trying to convince my self that it is necessary.
> But I don't agree that the MS-SFU is clear :)
Oh, I didn't say it is all that clear, just the pieces commented.
> On Thu, Feb 7, 2019 at 1:49 PM Alexander Bokovoy <ab at samba.org> wrote:
> > 188.8.131.52.2 is clear:
> > -----
> > If the KDC supports the Privilege Attribute Certificate Data Structure
> > [MS-PAC], the KDC, when populating the KERB_VALIDATION_INFO Structure
> > ([MS-KILE] section 184.108.40.206.4.1), MUST NOT include the
> > AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY SID ([MS-DTYP] section
> > 220.127.116.11) in the ExtraSids field and SHOULD add the
> > SERVICE_ASSERTED_IDENTITY SID ([MS-DTYP] section 18.104.22.168) instead.
> > -----
> This doesn't say anything on verifying the original PAC.
It does (3.2.5, above all the cases):
If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], the SFU KDC MUST
copy the populated fields from the PAC in the TGT to the newly created PAC and, after processing all
fields it supports, the SFU KDC MUST generate a new Server Signature ([MS-KILE], section
22.214.171.124.4.3) and KDC Signature ([MS-KILE], section 126.96.36.199.4.4) which replace the existing signature
fields in the PAC, as discussed in the sections that follow.
> This one is when the impersonate principal is not from local realm, so
> a referral TGT was received that contains the PAC of the impersonate
> client - which is copied to the ticket, so of course it should be
> > So I think the end result is that verification of PAC has to happen for
> > both in-realm and cross-realm operations. MS-KILE and MS-SFU are written
> > in a such way that non-AD implementations are allowed to get away with
> > no MS-PAC tickets but AD itself assumes always producing MS-PAC in the
> > tickets and thus performing verification of its content.
> Actually Windows KDC does not always requires the PAC, if I issue a
> very similar kvno command but not involving protocol-transition, then
> it works ok without PAC:
> $ echo -n pwd | kinit apache at ACME.COM --no-request-pac && kvno apache at ACME.COM
I think for all services that are host-based you need PAC.
/ Alexander Bokovoy
More information about the samba-technical