[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
metze at samba.org
Fri Jan 24 18:49:37 UTC 2020
> On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>> it would be great if we could make some progress here...
> Does this need to be an application flag, or can it be in the krb5.conf
> realm configuration? Presumably people are currently working around
> this by setting [capaths] on the server; a realm variable would simplify
> this workaround by not requiring specific knowledge of the domain geometry.
> I reviewed the thread, and it sounds like the current understanding is
> that AD applies a transited check (of sorts) to cross-realm tickets, but
> doesn't say so by setting the transit-policy-checked flag in the
> From the upstream point of view the server's realm
> configuration is in a better position to know that the realm is an AD
> realm than the server application; perhaps that is not true from Samba's
> point of view, but I thought I would check.
In Samba we know that we're joined to an AD domain
and then we want to force disabling the transited check
For Samba as AD DC we want also want to disable this for
krb5_rd_req_decoded in the KDC too.
A krb5.conf option would also be good in order to support
non-samba services in AD-Domains. But the c library should also
support changing it at runtime.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the samba-technical