[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
Stefan Metzmacher
metze at samba.org
Fri Jan 24 18:49:37 UTC 2020
Hi Greg,
> On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>> it would be great if we could make some progress here...
>
> Does this need to be an application flag, or can it be in the krb5.conf
> realm configuration? Presumably people are currently working around
> this by setting [capaths] on the server; a realm variable would simplify
> this workaround by not requiring specific knowledge of the domain geometry.
>
> I reviewed the thread, and it sounds like the current understanding is
> that AD applies a transited check (of sorts) to cross-realm tickets, but
> doesn't say so by setting the transit-policy-checked flag in the
> ticket.
Exactly.
> From the upstream point of view the server's realm
> configuration is in a better position to know that the realm is an AD
> realm than the server application; perhaps that is not true from Samba's
> point of view, but I thought I would check.
In Samba we know that we're joined to an AD domain
and then we want to force disabling the transited check
for gss_accept_sec_context().
For Samba as AD DC we want also want to disable this for
krb5_rd_req_decoded in the KDC too.
A krb5.conf option would also be good in order to support
non-samba services in AD-Domains. But the c library should also
support changing it at runtime.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200124/eca079fa/signature.sig>
More information about the samba-technical
mailing list