[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Greg Hudson ghudson at mit.edu
Thu Jan 23 16:15:32 UTC 2020


On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
> it would be great if we could make some progress here...

Does this need to be an application flag, or can it be in the krb5.conf
realm configuration?  Presumably people are currently working around
this by setting [capaths] on the server; a realm variable would simplify
this workaround by not requiring specific knowledge of the domain geometry.

I reviewed the thread, and it sounds like the current understanding is
that AD applies a transited check (of sorts) to cross-realm tickets, but
 doesn't say so by setting the transit-policy-checked flag in the
ticket.  From the upstream point of view the server's realm
configuration is in a better position to know that the realm is an AD
realm than the server application; perhaps that is not true from Samba's
point of view, but I thought I would check.



More information about the samba-technical mailing list