[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Isaac Boukris iboukris at gmail.com
Fri Feb 7 12:26:14 UTC 2020


On Fri, Nov 22, 2019 at 11:45 PM Nico Williams <nico at cryptonector.com> wrote:
> On Fri, Nov 22, 2019 at 11:24:44AM +0100, Stefan Metzmacher wrote:
> > > Correspondingly and symmetrically, the right way to request some
> > > behavior on the side where the credential is available, is to associate
> > > that request with the desired_name for which the credential is acquired.
> >
> > So you mean we need to pass an explicit desired_name to
> > gss_acquire_cred_from() and use gss_set_name_attribute() calls
> > (for no_transit_check and iterate_acceptor_keytab) on that desired_name
> > before?
> Oh, wait, right.  That's not going to work when you want a default
> credential.

Maybe the name-attributes can be made complementary to the proposed
credential-options, if a service wishes to inquire this info.

More information about the samba-technical mailing list