[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Nico Williams nico at cryptonector.com
Thu Nov 21 22:39:09 UTC 2019

On Tue, Sep 24, 2019 at 02:05:05AM +0200, Stefan Metzmacher wrote:
> resuming this old thread...
> https://lists.samba.org/archive/samba-technical/2017-August/122422.html
> >> Does the Kerberos library know whether whether the application is going
> >> to look at PACs and SIDs or just use the client principal name?  I am
> >> guessing it does not.  Thus in Samba, one might need a dedicated
> >> krb5.conf configuration file that disables the transit check.  Other
> >> applications should still apply transit check even if a PAC happens
> >> to be present, as AFAIK it may well remain unused.
> > 
> > My idea was that Samba would use
> > gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) to indicate
> > the the transited list should not be checked.
> I implemented GSS_KRB5_CRED_NO_TRANSIT_CHECK_X for
> MIT, Heimdal (both upstream and Samba) and make use of
> it in Samba.


The right design for this is to use name attributes, not credential
options.  Credential options should be banished altogether.

To see why consider an acceptor application that wishes to examine the
transit path (or whatever other attribute) an authenticated initiator
principal took to reach the acceptor.  What credential should the
acceptor inspect?  There is none to inspect, not for the initiator (not
even if they delegated a credential, since that one might not have
transited any realms).  The only way to inspect the transit path taken
by the initiator is to inspect its name, as that's all we have for it.
This is one reason we added name attributes.

Correspondingly and symmetrically, the right way to request some
behavior on the side where the credential is available, is to associate
that request with the desired_name for which the credential is acquired.

Credential options are not standardized, but name attributes are.
Please use those.

Consider this my code review for the Heimdal PR.

I understand that this is probably a big change, and that this request
may seem hostile (email being such a dry medium).  I'm willing to help
you make this change, both for Heimdal and MIT -- I'll help with the
code, and I'd be happy to have a conference call or exchange further


More information about the samba-technical mailing list