Question about excluding the PAC

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about excluding the PAC

Schwartz, John
All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.

I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.

I see that kinit has the option "--no-request-pac"

Is there a similar way to do it from the krb5.conf or does it need a custom shared object?

If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.

Any assistance is greatly appreciated.

Thank you,

Anthem, Inc.



John Schwartz,  Exec Advisor, Authentication Services
21555 Oxnard St., Woodland Hills, California 91367
O: (818) 234-6763 |
[hidden email]




CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Question about excluding the PAC

Greg Hudson
On 1/25/19 4:56 PM, Schwartz, John wrote:
> I see that kinit has the option "--no-request-pac"
>
> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?

There is no krb5.conf variable, but if you have control of the web
server C code which invokes krb5_get_init_creds_password(), you can do
it via a get_init_creds option.  The relevant functions are:

https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_get_init_creds_opt_alloc.html
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_get_init_creds_opt_free.html

Note that this option is new in release 1.15.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: Question about excluding the PAC

Schwartz, John
Thank you Greg.  I have access to the server but do not have access to the direct source code and am using the standard build.  I had been reading that custom plugins can be created and referenced in the krb5.conf but am a little lost on the what libraries (for instance) need to be included in the source code in order for me to use a certain function.

Thank you for your input.

BTW, do you know how I can validate what exact version I am using?

Thanks,

Anthem, Inc.

John Schwartz,  Exec Advisor, Authentication Services
21555 Oxnard St., Woodland Hills, California 91367
O: (818) 234-6763 |
[hidden email]



-----Original Message-----
From: Greg Hudson [mailto:[hidden email]]
Sent: Friday, January 25, 2019 2:57 PM
To: Schwartz, John <[hidden email]>; [hidden email]
Subject: Re: Question about excluding the PAC

On 1/25/19 4:56 PM, Schwartz, John wrote:
> I see that kinit has the option "--no-request-pac"
>
> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?

There is no krb5.conf variable, but if you have control of the web server C code which invokes krb5_get_init_creds_password(), you can do it via a get_init_creds option.  The relevant functions are:

https://urldefense.proofpoint.com/v2/url?u=https-3A__web.mit.edu_kerberos_krb5-2Dlatest_doc_appdev_refs_api_krb5-5Fget-5Finit-5Fcreds-5Fopt-5Falloc.html&d=DwICaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=RRh003L56FmOmyBd01FGTDj32JQhUsbqPyDZ8sVmx4g&s=GzC0KwfTszsvNULTUa5vnT5FaP0O5iGanmYf_ww1c58&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__web.mit.edu_kerberos_krb5-2Dlatest_doc_appdev_refs_api_krb5-5Fget-5Finit-5Fcreds-5Fopt-5Fset-5Fpac-5Frequest.html&d=DwICaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=RRh003L56FmOmyBd01FGTDj32JQhUsbqPyDZ8sVmx4g&s=ovIfMY5-lifO7uxaCicFYtgr30iAA5CagslsGu9AIvk&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__web.mit.edu_kerberos_krb5-2Dlatest_doc_appdev_refs_api_krb5-5Fget-5Finit-5Fcreds-5Fopt-5Ffree.html&d=DwICaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=RRh003L56FmOmyBd01FGTDj32JQhUsbqPyDZ8sVmx4g&s=WfY7aU37kADulO2likAkxKYH4mjT7GIdHBJtmtvo4cc&e=

Note that this option is new in release 1.15.

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Question about excluding the PAC

Mark Pröhl
In reply to this post by Schwartz, John
Hi,

I wonder what kind of Kerberos infrastructure is providing the PAC. In
case of Active Directory you typically can get rid of the pac by
modifying the service account that is associated with the HTTP
principal. This only affects tickets for that particular service.
Maybe your implementation on Linux offers a similar way?

Regards,

Mark Pröhl

On 1/25/19 10:56 PM, Schwartz, John wrote:

> All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
>
> I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
>
> I see that kinit has the option "--no-request-pac"
>
> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
>
> If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.
>
> Any assistance is greatly appreciated.
>
> Thank you,
>
> Anthem, Inc.
>
>
>
> John Schwartz,  Exec Advisor, Authentication Services
> 21555 Oxnard St., Woodland Hills, California 91367
> O: (818) 234-6763 |
> [hidden email]
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information or may otherwise be protected by law. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you
> are not the intended recipient, please contact the sender by reply e-mail
> and destroy all copies of the original message and any attachment thereto.
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: Question about excluding the PAC

Schwartz, John
The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.

The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.

No one needs to be a part of a couple of hundred or more groups.

Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.

They provider the variable that needs to be modified but do not say which header file it belongs to etc...

Thanks,

Anthem, Inc.

John Schwartz,  Exec Advisor, Authentication Services
21555 Oxnard St., Woodland Hills, California 91367
O: (818) 234-6763 |
[hidden email]


-----Original Message-----
From: Mark Pröhl [mailto:[hidden email]]
Sent: Tuesday, January 29, 2019 12:59 PM
To: Schwartz, John <[hidden email]>; [hidden email]
Subject: Re: Question about excluding the PAC

Hi,

I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.
Maybe your implementation on Linux offers a similar way?

Regards,

Mark Pröhl

On 1/25/19 10:56 PM, Schwartz, John wrote:

> All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
>
> I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
>
> I see that kinit has the option "--no-request-pac"
>
> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
>
> If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.
>
> Any assistance is greatly appreciated.
>
> Thank you,
>
> Anthem, Inc.
>
>
>
> John Schwartz,  Exec Advisor, Authentication Services
> 21555 Oxnard St., Woodland Hills, California 91367
> O: (818) 234-6763 |
> [hidden email]
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any
> attachments, is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information or may otherwise be
> protected by law. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient,
> please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_m
> ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0X
> CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD4rEpOY
> P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=
>

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Question about excluding the PAC

Simo Sorce-3
The best and only way forward for you is to ask your AD admins to
disable PAC for your HTTP server. Then *all* clients will get tickets
w/o the PAC. You cannot do anything on the HTTP server, it is too late,
big tickets with PACs have already been sent to you.

Regards,
Simo.

On Tue, 2019-01-29 at 21:05 +0000, Schwartz, John wrote:

> The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.
>
> The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.
>
> No one needs to be a part of a couple of hundred or more groups.
>
> Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.
>
> They provider the variable that needs to be modified but do not say which header file it belongs to etc...
>
> Thanks,
>
> Anthem, Inc.
>
> John Schwartz,  Exec Advisor, Authentication Services
> 21555 Oxnard St., Woodland Hills, California 91367
> O: (818) 234-6763 |
> [hidden email]
>
>
> -----Original Message-----
> From: Mark Pröhl [mailto:[hidden email]]
> Sent: Tuesday, January 29, 2019 12:59 PM
> To: Schwartz, John <[hidden email]>; [hidden email]
> Subject: Re: Question about excluding the PAC
>
> Hi,
>
> I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.
> Maybe your implementation on Linux offers a similar way?
>
> Regards,
>
> Mark Pröhl
>
> On 1/25/19 10:56 PM, Schwartz, John wrote:
> > All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
> >
> > I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
> >
> > I see that kinit has the option "--no-request-pac"
> >
> > Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
> >
> > If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.
> >
> > Any assistance is greatly appreciated.
> >
> > Thank you,
> >
> > Anthem, Inc.
> >
> >
> >
> > John Schwartz,  Exec Advisor, Authentication Services
> > 21555 Oxnard St., Woodland Hills, California 91367
> > O: (818) 234-6763 |
> > [hidden email]
> >
> >
> >
> >
> > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > attachments, is for the sole use of the intended recipient(s) and may
> > contain confidential and privileged information or may otherwise be
> > protected by law. Any unauthorized review, use, disclosure or
> > distribution is prohibited. If you are not the intended recipient,
> > please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> > _______________________________________________
> > krbdev mailing list             [hidden email]
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_m
> > ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0X
> > CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD4rEpOY
> > P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=
> >
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information or may otherwise be protected by law. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you
> are not the intended recipient, please contact the sender by reply e-mail
> and destroy all copies of the original message and any attachment thereto.
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Question about excluding the PAC

Schwartz, John
So I are talking about the http service or the service account that binds to the kdc?

Sent from my iPhone

> On Jan 30, 2019, at 3:00 AM, Simo Sorce <[hidden email]> wrote:
>
> The best and only way forward for you is to ask your AD admins to
> disable PAC for your HTTP server. Then *all* clients will get tickets
> w/o the PAC. You cannot do anything on the HTTP server, it is too late,
> big tickets with PACs have already been sent to you.
>
> Regards,
> Simo.
>
>> On Tue, 2019-01-29 at 21:05 +0000, Schwartz, John wrote:
>> The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.
>>
>> The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.
>>
>> No one needs to be a part of a couple of hundred or more groups.
>>
>> Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.
>>
>> They provider the variable that needs to be modified but do not say which header file it belongs to etc...
>>
>> Thanks,
>>
>> Anthem, Inc.
>>
>> John Schwartz,  Exec Advisor, Authentication Services
>> 21555 Oxnard St., Woodland Hills, California 91367
>> O: (818) 234-6763 |
>> [hidden email]
>>
>>
>> -----Original Message-----
>> From: Mark Pröhl [mailto:[hidden email]]
>> Sent: Tuesday, January 29, 2019 12:59 PM
>> To: Schwartz, John <[hidden email]>; [hidden email]
>> Subject: Re: Question about excluding the PAC
>>
>> Hi,
>>
>> I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.
>> Maybe your implementation on Linux offers a similar way?
>>
>> Regards,
>>
>> Mark Pröhl
>>
>>> On 1/25/19 10:56 PM, Schwartz, John wrote:
>>> All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
>>>
>>> I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
>>>
>>> I see that kinit has the option "--no-request-pac"
>>>
>>> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
>>>
>>> If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.
>>>
>>> Any assistance is greatly appreciated.
>>>
>>> Thank you,
>>>
>>> Anthem, Inc.
>>>
>>>
>>>
>>> John Schwartz,  Exec Advisor, Authentication Services
>>> 21555 Oxnard St., Woodland Hills, California 91367
>>> O: (818) 234-6763 |
>>> [hidden email]
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>> attachments, is for the sole use of the intended recipient(s) and may
>>> contain confidential and privileged information or may otherwise be
>>> protected by law. Any unauthorized review, use, disclosure or
>>> distribution is prohibited. If you are not the intended recipient,
>>> please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
>>> _______________________________________________
>>> krbdev mailing list             [hidden email]
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_m
>>> ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0X
>>> CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD4rEpOY
>>> P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=
>>>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
>> for the sole use of the intended recipient(s) and may contain confidential
>> and privileged information or may otherwise be protected by law. Any
>> unauthorized review, use, disclosure or distribution is prohibited. If you
>> are not the intended recipient, please contact the sender by reply e-mail
>> and destroy all copies of the original message and any attachment thereto.
>>
>> _______________________________________________
>> krbdev mailing list             [hidden email]
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_mailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=KE4-J-FIW3r7JJy4Or2dVK8LrNy_aQYx3ewbNPvnLb0&s=thO69vYk5aJDVnFD2GN6nIalHGjNpjEbq6tQyVPwo04&e=
>

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Question about excluding the PAC

Mark Pröhl
In reply to this post by Simo Sorce-3
Some more tips/links:

(1) You should check that no others kerberized services that require
    service tickets with a PAC are associated with the same AD account
    as your web service. It is best practice to use a dedicated AD
    service account only for the HTTP principal.

(2) Technically you need to modify the attribute userAccounControl of
    the AD account that is associated with the HTTP principal. This
    attribute is a bit-mask and you need to add the value 0x02000000
    (ADS_UF_NO_AUTH_DATA_REQUIRED). See also:
    https://msdn.microsoft.com/en-us/library/cc223145.aspx.

(3) IMO the easiest way to disable PAC is provided by msktutil
    (https://github.com/msktutil/msktutil).
    Man msktutil and search for --no-pac

(4) Users need to obtain new Kerberos tickets after this modification

- Mark


On 1/30/19 12:00 PM, Simo Sorce wrote:

> The best and only way forward for you is to ask your AD admins to
> disable PAC for your HTTP server. Then *all* clients will get tickets
> w/o the PAC. You cannot do anything on the HTTP server, it is too late,
> big tickets with PACs have already been sent to you.
>
> Regards,
> Simo.
>
> On Tue, 2019-01-29 at 21:05 +0000, Schwartz, John wrote:
>> The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.
>>
>> The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.
>>
>> No one needs to be a part of a couple of hundred or more groups.
>>
>> Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.
>>
>> They provider the variable that needs to be modified but do not say which header file it belongs to etc...
>>
>> Thanks,
>>
>> Anthem, Inc.
>>
>> John Schwartz,  Exec Advisor, Authentication Services
>> 21555 Oxnard St., Woodland Hills, California 91367
>> O: (818) 234-6763 |
>> [hidden email]
>>
>>
>> -----Original Message-----
>> From: Mark Pröhl [mailto:[hidden email]]
>> Sent: Tuesday, January 29, 2019 12:59 PM
>> To: Schwartz, John <[hidden email]>; [hidden email]
>> Subject: Re: Question about excluding the PAC
>>
>> Hi,
>>
>> I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.
>> Maybe your implementation on Linux offers a similar way?
>>
>> Regards,
>>
>> Mark Pröhl
>>
>> On 1/25/19 10:56 PM, Schwartz, John wrote:
>>> All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
>>>
>>> I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
>>>
>>> I see that kinit has the option "--no-request-pac"
>>>
>>> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
>>>
>>> If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.
>>>
>>> Any assistance is greatly appreciated.
>>>
>>> Thank you,
>>>
>>> Anthem, Inc.
>>>
>>>
>>>
>>> John Schwartz,  Exec Advisor, Authentication Services
>>> 21555 Oxnard St., Woodland Hills, California 91367
>>> O: (818) 234-6763 |
>>> [hidden email]
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>> attachments, is for the sole use of the intended recipient(s) and may
>>> contain confidential and privileged information or may otherwise be
>>> protected by law. Any unauthorized review, use, disclosure or
>>> distribution is prohibited. If you are not the intended recipient,
>>> please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
>>> _______________________________________________
>>> krbdev mailing list             [hidden email]
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_m
>>> ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0X
>>> CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD4rEpOY
>>> P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=
>>>
>>
>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
>> for the sole use of the intended recipient(s) and may contain confidential
>> and privileged information or may otherwise be protected by law. Any
>> unauthorized review, use, disclosure or distribution is prohibited. If you
>> are not the intended recipient, please contact the sender by reply e-mail
>> and destroy all copies of the original message and any attachment thereto.
>>
>> _______________________________________________
>> krbdev mailing list             [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Question about excluding the PAC

Schwartz, John
Thanks everyone, I will investigate the options. I know there is also a — nopac option on the kinit that I can set for the SPN but not sure if that will apply to.

Thanks again

Sent from my iPhone

> On Jan 30, 2019, at 4:21 AM, Mark Pröhl <[hidden email]> wrote:
>
> Some more tips/links:
>
> (1) You should check that no others kerberized services that require
>    service tickets with a PAC are associated with the same AD account
>    as your web service. It is best practice to use a dedicated AD
>    service account only for the HTTP principal.
>
> (2) Technically you need to modify the attribute userAccounControl of
>    the AD account that is associated with the HTTP principal. This
>    attribute is a bit-mask and you need to add the value 0x02000000
>    (ADS_UF_NO_AUTH_DATA_REQUIRED). See also:
>    https://urldefense.proofpoint.com/v2/url?u=https-3A__msdn.microsoft.com_en-2Dus_library_cc223145.aspx&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=LrwfQR_dBBHJn0s3RDfGMWW58eADP-rBNVfMbQY-9as&e=.
>
> (3) IMO the easiest way to disable PAC is provided by msktutil
>    (https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_msktutil_msktutil&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=1BTHnzAv_4x44gZ12vV6jJu8-Q_oKrnXDkF6gfhW5Jc&e=).
>    Man msktutil and search for --no-pac
>
> (4) Users need to obtain new Kerberos tickets after this modification
>
> - Mark
>
>
>> On 1/30/19 12:00 PM, Simo Sorce wrote:
>> The best and only way forward for you is to ask your AD admins to
>> disable PAC for your HTTP server. Then *all* clients will get tickets
>> w/o the PAC. You cannot do anything on the HTTP server, it is too late,
>> big tickets with PACs have already been sent to you.
>>
>> Regards,
>> Simo.
>>
>>> On Tue, 2019-01-29 at 21:05 +0000, Schwartz, John wrote:
>>> The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.
>>>
>>> The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.
>>>
>>> No one needs to be a part of a couple of hundred or more groups.
>>>
>>> Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.
>>>
>>> They provider the variable that needs to be modified but do not say which header file it belongs to etc...
>>>
>>> Thanks,
>>>
>>> Anthem, Inc.
>>>
>>> John Schwartz,  Exec Advisor, Authentication Services
>>> 21555 Oxnard St., Woodland Hills, California 91367
>>> O: (818) 234-6763 |
>>> [hidden email]
>>>
>>>
>>> -----Original Message-----
>>> From: Mark Pröhl [mailto:[hidden email]]
>>> Sent: Tuesday, January 29, 2019 12:59 PM
>>> To: Schwartz, John <[hidden email]>; [hidden email]
>>> Subject: Re: Question about excluding the PAC
>>>
>>> Hi,
>>>
>>> I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.
>>> Maybe your implementation on Linux offers a similar way?
>>>
>>> Regards,
>>>
>>> Mark Pröhl
>>>
>>>> On 1/25/19 10:56 PM, Schwartz, John wrote:
>>>> All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
>>>>
>>>> I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
>>>>
>>>> I see that kinit has the option "--no-request-pac"
>>>>
>>>> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
>>>>
>>>> If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.
>>>>
>>>> Any assistance is greatly appreciated.
>>>>
>>>> Thank you,
>>>>
>>>> Anthem, Inc.
>>>>
>>>>
>>>>
>>>> John Schwartz,  Exec Advisor, Authentication Services
>>>> 21555 Oxnard St., Woodland Hills, California 91367
>>>> O: (818) 234-6763 |
>>>> [hidden email]
>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any
>>>> attachments, is for the sole use of the intended recipient(s) and may
>>>> contain confidential and privileged information or may otherwise be
>>>> protected by law. Any unauthorized review, use, disclosure or
>>>> distribution is prohibited. If you are not the intended recipient,
>>>> please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
>>>> _______________________________________________
>>>> krbdev mailing list             [hidden email]
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_m
>>>> ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0X
>>>> CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD4rEpOY
>>>> P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=
>>>>
>>>
>>> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
>>> for the sole use of the intended recipient(s) and may contain confidential
>>> and privileged information or may otherwise be protected by law. Any
>>> unauthorized review, use, disclosure or distribution is prohibited. If you
>>> are not the intended recipient, please contact the sender by reply e-mail
>>> and destroy all copies of the original message and any attachment thereto.
>>>
>>> _______________________________________________
>>> krbdev mailing list             [hidden email]
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_mailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=mr341WiEfuqUhilglICkxLItjrwWOJAPVXIybydI5nQ&e=
>>
>

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: Question about excluding the PAC

Schwartz, John
In reply to this post by Mark Pröhl
Hi guys, I had the recommend flag set on the service account and it does not appear to have the desired effect. Would you know if any services need to be restarted or cache cleared?



It is still passing the authorization data for my account.



[cid:image001.png@01D4BAED.A0583DA0]



Anthem, Inc.

John Schwartz,  Exec Advisor, Authentication Services

21555 Oxnard St., Woodland Hills, California 91367

O: (818) 234-6763 |

[hidden email]



-----Original Message-----
From: Mark Pröhl [mailto:[hidden email]]
Sent: Wednesday, January 30, 2019 4:22 AM
To: Simo Sorce <[hidden email]>; Schwartz, John <[hidden email]>; [hidden email]
Subject: Re: Question about excluding the PAC



Some more tips/links:



(1) You should check that no others kerberized services that require

    service tickets with a PAC are associated with the same AD account

    as your web service. It is best practice to use a dedicated AD

    service account only for the HTTP principal.



(2) Technically you need to modify the attribute userAccounControl of

    the AD account that is associated with the HTTP principal. This

    attribute is a bit-mask and you need to add the value 0x02000000

    (ADS_UF_NO_AUTH_DATA_REQUIRED). See also:

    https://urldefense.proofpoint.com/v2/url?u=https-3A__msdn.microsoft.com_en-2Dus_library_cc223145.aspx&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=LrwfQR_dBBHJn0s3RDfGMWW58eADP-rBNVfMbQY-9as&e=.



(3) IMO the easiest way to disable PAC is provided by msktutil

    (https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_msktutil_msktutil&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=1BTHnzAv_4x44gZ12vV6jJu8-Q_oKrnXDkF6gfhW5Jc&e=).

    Man msktutil and search for --no-pac



(4) Users need to obtain new Kerberos tickets after this modification



- Mark





On 1/30/19 12:00 PM, Simo Sorce wrote:

> The best and only way forward for you is to ask your AD admins to

> disable PAC for your HTTP server. Then *all* clients will get tickets

> w/o the PAC. You cannot do anything on the HTTP server, it is too

> late, big tickets with PACs have already been sent to you.

>

> Regards,

> Simo.

>

> On Tue, 2019-01-29 at 21:05 +0000, Schwartz, John wrote:

>> The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.

>>

>> The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.

>>

>> No one needs to be a part of a couple of hundred or more groups.

>>

>> Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.

>>

>> They provider the variable that needs to be modified but do not say which header file it belongs to etc...

>>

>> Thanks,

>>

>> Anthem, Inc.

>>

>> John Schwartz,  Exec Advisor, Authentication Services

>> 21555 Oxnard St., Woodland Hills, California 91367

>> O: (818) 234-6763 |

>> [hidden email]<mailto:[hidden email]>

>>

>>

>> -----Original Message-----

>> From: Mark Pröhl [mailto:[hidden email]]

>> Sent: Tuesday, January 29, 2019 12:59 PM

>> To: Schwartz, John <[hidden email]<mailto:[hidden email]>>; [hidden email]<mailto:[hidden email]>

>> Subject: Re: Question about excluding the PAC

>>

>> Hi,

>>

>> I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.

>> Maybe your implementation on Linux offers a similar way?

>>

>> Regards,

>>

>> Mark Pröhl

>>

>> On 1/25/19 10:56 PM, Schwartz, John wrote:

>>> All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.

>>>

>>> I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.

>>>

>>> I see that kinit has the option "--no-request-pac"

>>>

>>> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?

>>>

>>> If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.

>>>

>>> Any assistance is greatly appreciated.

>>>

>>> Thank you,

>>>

>>> Anthem, Inc.

>>>

>>>

>>>

>>> John Schwartz,  Exec Advisor, Authentication Services

>>> 21555 Oxnard St., Woodland Hills, California 91367

>>> O: (818) 234-6763 |

>>> [hidden email]<mailto:[hidden email]>

>>>

>>>

>>>

>>>

>>> CONFIDENTIALITY NOTICE: This e-mail message, including any

>>> attachments, is for the sole use of the intended recipient(s) and

>>> may contain confidential and privileged information or may otherwise

>>> be protected by law. Any unauthorized review, use, disclosure or

>>> distribution is prohibited. If you are not the intended recipient,

>>> please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.

>>> _______________________________________________

>>> krbdev mailing list             [hidden email]<mailto:[hidden email]>

>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu

>>> _m

>>> ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg

>>> 0X

>>> CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD4rEp

>>> OY P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=

>>>

>>

>> CONFIDENTIALITY NOTICE: This e-mail message, including any

>> attachments, is for the sole use of the intended recipient(s) and may

>> contain confidential and privileged information or may otherwise be

>> protected by law. Any unauthorized review, use, disclosure or

>> distribution is prohibited. If you are not the intended recipient,

>> please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.

>>

>> _______________________________________________

>> krbdev mailing list             [hidden email]<mailto:[hidden email]>

>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_

>> mailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg

>> 0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTU

>> fFDqsZlB01E&s=mr341WiEfuqUhilglICkxLItjrwWOJAPVXIybydI5nQ&e=

>



CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Question about excluding the PAC

Simo Sorce-3
You need to obtain new tickets, so you either purge the tickets you
have, or you can simply logout and log back in to get a clean slate.

On Sat, 2019-02-02 at 19:51 +0000, Schwartz, John wrote:

> Hi guys, I had the recommend flag set on the service account and it does not appear to have the desired effect. Would you know if any services need to be restarted or cache cleared?
>
>
>
> It is still passing the authorization data for my account.
>
>
>
> [cid:image001.png@01D4BAED.A0583DA0]
>
>
>
> Anthem, Inc.
>
> John Schwartz,  Exec Advisor, Authentication Services
>
> 21555 Oxnard St., Woodland Hills, California 91367
>
> O: (818) 234-6763 |
>
> [hidden email]
>
>
>
> -----Original Message-----
> From: Mark Pröhl [mailto:[hidden email]]
> Sent: Wednesday, January 30, 2019 4:22 AM
> To: Simo Sorce <[hidden email]>; Schwartz, John <[hidden email]>; [hidden email]
> Subject: Re: Question about excluding the PAC
>
>
>
> Some more tips/links:
>
>
>
> (1) You should check that no others kerberized services that require
>
>     service tickets with a PAC are associated with the same AD account
>
>     as your web service. It is best practice to use a dedicated AD
>
>     service account only for the HTTP principal.
>
>
>
> (2) Technically you need to modify the attribute userAccounControl of
>
>     the AD account that is associated with the HTTP principal. This
>
>     attribute is a bit-mask and you need to add the value 0x02000000
>
>     (ADS_UF_NO_AUTH_DATA_REQUIRED). See also:
>
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__msdn.microsoft.com_en-2Dus_library_cc223145.aspx&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=LrwfQR_dBBHJn0s3RDfGMWW58eADP-rBNVfMbQY-9as&e=.
>
>
>
> (3) IMO the easiest way to disable PAC is provided by msktutil
>
>     (https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_msktutil_msktutil&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=1BTHnzAv_4x44gZ12vV6jJu8-Q_oKrnXDkF6gfhW5Jc&e=).
>
>     Man msktutil and search for --no-pac
>
>
>
> (4) Users need to obtain new Kerberos tickets after this modification
>
>
>
> - Mark
>
>
>
>
>
> On 1/30/19 12:00 PM, Simo Sorce wrote:
>
> > The best and only way forward for you is to ask your AD admins to
> > disable PAC for your HTTP server. Then *all* clients will get tickets
> > w/o the PAC. You cannot do anything on the HTTP server, it is too
> > late, big tickets with PACs have already been sent to you.
> >
> > Regards,
> > Simo.
> >
> > On Tue, 2019-01-29 at 21:05 +0000, Schwartz, John wrote:
> > > The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.
> > >
> > > The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.
> > >
> > > No one needs to be a part of a couple of hundred or more groups.
> > >
> > > Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.
> > >
> > > They provider the variable that needs to be modified but do not say which header file it belongs to etc...
> > >
> > > Thanks,
> > >
> > > Anthem, Inc.
> > >
> > > John Schwartz,  Exec Advisor, Authentication Services
> > > 21555 Oxnard St., Woodland Hills, California 91367
> > > O: (818) 234-6763 |
> > > [hidden email]<mailto:[hidden email]>
> > >
> > >
> > > -----Original Message-----
> > > From: Mark Pröhl [mailto:[hidden email]]
> > > Sent: Tuesday, January 29, 2019 12:59 PM
> > > To: Schwartz, John <[hidden email]<mailto:[hidden email]>>; [hidden email]<mailto:[hidden email]>
> > > Subject: Re: Question about excluding the PAC
> > >
> > > Hi,
> > >
> > > I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.
> > > Maybe your implementation on Linux offers a similar way?
> > >
> > > Regards,
> > >
> > > Mark Pröhl
> > >
> > > On 1/25/19 10:56 PM, Schwartz, John wrote:
> > > > All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
> > > >
> > > > I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
> > > >
> > > > I see that kinit has the option "--no-request-pac"
> > > >
> > > > Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
> > > >
> > > > If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.
> > > >
> > > > Any assistance is greatly appreciated.
> > > >
> > > > Thank you,
> > > >
> > > > Anthem, Inc.
> > > >
> > > >
> > > >
> > > > John Schwartz,  Exec Advisor, Authentication Services
> > > > 21555 Oxnard St., Woodland Hills, California 91367
> > > > O: (818) 234-6763 |
> > > > [hidden email]<mailto:[hidden email]>
> > > >
> > > >
> > > >
> > > >
> > > > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > > > attachments, is for the sole use of the intended recipient(s) and
> > > > may contain confidential and privileged information or may otherwise
> > > > be protected by law. Any unauthorized review, use, disclosure or
> > > > distribution is prohibited. If you are not the intended recipient,
> > > > please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> > > > _______________________________________________
> > > > krbdev mailing list             [hidden email]<mailto:[hidden email]>
> > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu
> > > > _m
> > > > ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg
> > > > 0X
> > > > CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD4rEp
> > > > OY P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=
> > > >
> > >
> > > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > > attachments, is for the sole use of the intended recipient(s) and may
> > > contain confidential and privileged information or may otherwise be
> > > protected by law. Any unauthorized review, use, disclosure or
> > > distribution is prohibited. If you are not the intended recipient,
> > > please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> > >
> > > _______________________________________________
> > > krbdev mailing list             [hidden email]<mailto:[hidden email]>
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_
> > > mailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg
> > > 0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTU
> > > fFDqsZlB01E&s=mr341WiEfuqUhilglICkxLItjrwWOJAPVXIybydI5nQ&e=
> >
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information or may otherwise be protected by law. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you
> are not the intended recipient, please contact the sender by reply e-mail
> and destroy all copies of the original message and any attachment thereto.
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev

--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: Question about excluding the PAC

Schwartz, John
Thanks. It does not seem to be working.  To be clear, I am trying to reduce this large http header to a simply authentication token.

Authorization: Negotiate YIINLwYGKwYBBQUCoIINIzCCDR+gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCDOkEggzlYIIM4QYJKoZIhvcSAQICAQBuggzQMIIMzKADAgEFoQMCAQ6iBwMFACAAAACjggGvYYIBqzCCAaegAwIBBaEVGxNVUy5BRC5XRUxMUE9JTlQuQ09NojYwNKADAgECoS0wKxsESFRUUBsjc2VjdXJlLWdhdGV3YXkuZGV2LnZhLmFudGhlbWluYy5jb22jggFPMIIBS6ADAgEXoQMCAQWiggE9BIIBOSL6bB3urBLVN3MRjC2AN4ZtUVqab33fF1SPbdyH1AbtAm1sfFXu8cHqUMelQtjmiBSxf/Psn4WYE3mKzuasgNOXAV+FYTu2BELizDuPBHE2aETImxNoYtUYvCjZb+WUDxK1geo3uBdBGpwOZp3rm/gJMnqPheGmYZH65DuDkIGR0d4LOXE9sR9mHnk8HK+d0E9wsf+RvbKmffmawl0+Y1ez9K2PwJNuKpKcLrYIXCaA0Wx/JFN1ZVZxnvpjQSXWMJkcaJFiiKjkAeoMToEYlPhwtPepyYYg8yFVD5YZz/FuZ1kq0XFuHjJGGgBvyIcc8z3LGne6dsWFq4mhwqsy0FH5EWgUSWKo9omxd9oBc7ixMFMB7/lbDkaCRWfYdkJAti6tMqOnpVpQtO+K+6aEXsiATMHWV6eSRy2kggsCMIIK/qADAgEXooIK9QSCCvEBhZETpx08PBGO/3tQmuzhYYhdYp9pkw/hML22iMSod581JXJdi6Z59ca5kOmMshI5j/NAiSQM7V9r6sbG/j4sIh3uTV28u+2eWadbSxERjQJc4qAM56A2M2eVe552tDM8yUVXydnlSDzW1uaeGxb5IDqcKsDw4G9iQhUQxD/O8ssdKw+R1lbmM8AHncbinO8RTwLrCM+MwDea1+q8h6YkLjyIFqOmA7LFGQDZBS8SR6DPjwp14u/wYBFOElwZZNezAGCpiClZF+Py3l48hPl1h2rWEpOnKvBjv3EFRpH1mEFUFUah1PFopOb2eMpApIPyuhgvEfI/rNWz0W8eLtjDvdC2HiIH7TtL4usNwHpfluf5QcOSFlmUrWGg3t30A9a36KUB9l5huC/zFmUnp6Hoag359rCt2fEpFpMtPUR9SlZSCjN554pLcJ4PqaSsiVjr61MBkyaPYmDMwq+7V7v9YlgeDGkAYeMkuv3rVJdQLWBAeiC7UQsQQEWX+i3vU9s9rn0+2owz0zJZmD7SsiZczEiElK/1Y5OxQj9Kvz52LiYHNie7OeH7UTo21aYGivE5YeI6X4C0ajIRdENFI+SpPDp8ySvJvm1KZt+JtQ7/jj5aoza20O1sguJHM24MyWpjLSfd/AChFpKkp5d0b/R0o4JtTCYgznXoA1Z0d32vwCWAgb+KxD+6iksKp3n9fjIN189XelL6h59N7Fiea8mLbgErvBjCCQUVGQ8eX+FU8Phv4Omsblid8MWthR/jPgnLOfLt8rPtDZ2uRTXVGCbIQn9NhIVYQfikuowhDD8WArYlHysnFAXL0BpG8OXyzgpEdO9UVTvi95dlk5VUoIhkB67z85UvYPAlJ130UE7E7ECvnrJGRPkqKuHddah3tkFMu6vRNPscyIsFkCzPnadZkUoPm+iX8ZV025ErqtJaJ/zF51sSF7mVOaGqTLeQZwJNAp1b4vZiXDDXr1xRRdO9JD8vr0r3cT2GNslaLvm77rPKSeGKWx9y99OJEGoJIvV+3wff8UINUajcGSY6Tzk00eU58xkny5Qmk63DzBKQR6emFt1oyeKQ82w+KJRmnZ1AwPNyxkO985eKG0eoPPeaZWWMz5eKObo8UZvvOloUdTZ2ljSe72sLz9QNHVoovU0XdlAzBjXsokWp7LXf5DQu/G/voeazynlnC9IdxtUgp+Eb5uMZtBIfiB2H9897/byXx2F1B8AaPN1uUFQ3Oifus+lEdgwu5a25Ia2
RvRQbGw0Y4qXFHgy3GaZysEFOu2Dlcxtu/8jQwJSc/KusBqOOZpVuwDew8u9C94m9VaOHXtB/h3kZK1naZ2h0+lb8J8Y9STqGU2/LsMy4doesWoWFv95Sxx07pRHlq/mO6aoDm+Tz4YdWZfi2yC86eVFTcws3iC8EhXpNYVMiYEc/qyzzHFTJ/WNv+0KuShFf9m6YGbUr8UyC6WLp9kKOA//tQm5G06nvDz9YggB86M1oO8nJRNxsOW+lLUQXH/oj+JU1SggZIT7hG+H4MQncMQ5wtWDBrYi2MbGTBkIOM3+sqeDWbAJV2tsduWNI2/hCbdE97p7+aY1JI3XANktEBqBSya1WojoovADrmxMW6NV944ZPBp7y7lYuhXmpzx7FKf5ZUwHgWT4WBUmr0GTjMP3a1XBBqvES3GJxdzbtULLgzZdsxhvZ+gT6xG+0xl58AliAtw42BAh2s10zi10OdyiSjV8VNFixvwTIw350WmFvIpf5dHKTzktdskADkkH4d8BHnkMJ4WdPCnMdcp39Vaxz2uloYPbM9hWG423T095uf/VMN7OHW9jZja03Ww1w03yS7i0mpS8ukwNPki3nHVm2b0CafxexMVkpAk098+trNZA1+Mhr9jKySuNTQczoDn5HJiq1OlxcxbB36YmidURPp/iDnb4ZZ9L0NKndbJylG1cqTr9lcQ/xe/5cVzOtjooOH3J9zlLwHySYrLcNgdnH7Qsqh8ePswjO923e/Uad5iJWtfw7UXmPYJRwm0osS+GM6WqJ6x2sysaav6N4Hw4T85BA8GHyqCJcpC6di6U8xvn68cs6o3E3J1Im6fKQ0XPbVMUDIsjEi0OBPkvJNK5Dr2hZ8qMg4rWKJlCMKAumtDd5GuF1qpcIfB7YaoSGzPK45NeCgD81wAA+xi32PFUHk9sHedG7N0ihbv7G79KjQJ1/LlMpyvBbodB0CV3fKEDYLXwn4V8/RpzQTBQRB7RhlEuLCksfGUGurCA1oPHnguxGq5v9dPmKTM+GrKIDVFkOBGUK/CAU+HF0dFKfAx7cttqvbSbML1I8j73vGFuTbQcbDXg7pW6SFh1dvCoFu4o13zjMkVoc4ectoGHsm0iLxSmKQ4gH9X3AaSa63SxFlNTXlU5QOlRhOwvBC2ePQnrSSrAuv/F0/hbL4iwoM1XG5hUmpbhNCcMu1pbnICKELZ1oX5t4EaUs6/hP+zu9xv9A2NUZ54n3mSt8gw5KdToEE29cTmEj0QEbyon0Qdaf5mAlrQfPFIV42Odl67uFHOPIeV6gNY759DgC6a7iYGstE106O9/0T1pCdwEuqTrxEJYUZDGvLpKZp8RxuAeVgHoBpLW/4TkMaOO+VWkso4h8wENpQCbY6giDIwyW5ntTihilDAjm994FpOYBm1M8QdBom23uQ/uFF+6A/jRvPRt0kptR6rHmNl15jQtbwHIFfYVUYFdB6HQ90z1/9mBTaezS12KGPkuT5sbBy3I0m91rxLuNb9WczwFv62DHO7PB3vE6xHNxtzrc6U3Ci7TfpX2WhVnNYVavHWYCqpEwfh/oLdN5rmwzDPgM9El550XTgJp0/Wik6Mp8xDR/BYHbMd0RfadJRBHXi5dY8/Ngf5mtOcgQkAiHpMgb1T8zhIEdP1T094a9nZu9n764UbcEF+BlQPqVQ+h/CPo2MuNWv7J/tEEFNglzHbh8dQw7Fw5EaYn+DPiNgEZhOBydvhK1sG5tx5RUiNS/Vo5qYiLA6voOVjd+xXoc6SI/a/KMf9voow4YnI1e8RQLsfiiJx/rtHquQB6zqrlgqy7wJg3Ak5BKSAXrkXt1zZI6HQXJL0yURQt+e4acB1P91ZxmnTBcTdfkSEOXbjLG+yzr+E/wy3RHyDcKV0+7nBB/a4QYPBMlEekn1CC0A77I1ChYNMenSTIOcIoL5lUbVOaMHBjWPKSMRj2pWQ8YgPMh/P9a+Cc99l0GT6ZvzAAlfzqiVHT5n1QB3TFcQXRYyTc40Iagnv8N2kiNJduMrguyTb4wbjt97n4/aYt0fj93pr8vjZN
38Elcaixq10/i6jesOsRB6eGFoHVDEgobkigXG2A6LlCjveH/ujhqj3leT35Ah2ts3LJ8HKEgLDjGCTZG0Mw+yTJz4fiB+S4fbE9hZ51lne77sexZbDgLBs97yTrZaisOFCIyeylGzE1ZxQCD7uHF3cGa/DZPG7R+uMxWskFnoWmEGzVVH3UsCjs1PnGywpeut8NPsk7ma3neHqurNaTGzmfSsQNBdw/lSp2q1bn6N72DZ7GQ5+FPiD5EgG1WQfb1uOkbCDvMlyHVS493jlTRfWwYIgH5rTvcejM97dY1u88HBmA13VDlL6/jNvVyEg33JCJDKNWDvJQc/LTOgf7yHbLhkzmKivACaoK05kwEE67f4yFcocukaGzVd5UhxXKt1pxIAnx5n0VQ0PVwmJ5OBVN96pcKxDKcSLVSjqBcACiYnZ/daw==

Anthem, Inc.

John Schwartz,  Exec Advisor, Authentication Services
21555 Oxnard St., Woodland Hills, California 91367
O: (818) 234-6763 |
[hidden email]


-----Original Message-----
From: Simo Sorce [mailto:[hidden email]]
Sent: Monday, February 04, 2019 6:13 AM
To: Schwartz, John <[hidden email]>; Mark Pröhl <[hidden email]>; [hidden email]
Subject: Re: Question about excluding the PAC

You need to obtain new tickets, so you either purge the tickets you have, or you can simply logout and log back in to get a clean slate.

On Sat, 2019-02-02 at 19:51 +0000, Schwartz, John wrote:

> Hi guys, I had the recommend flag set on the service account and it does not appear to have the desired effect. Would you know if any services need to be restarted or cache cleared?
>
>
>
> It is still passing the authorization data for my account.
>
>
>
> [cid:image001.png@01D4BAED.A0583DA0]
>
>
>
> Anthem, Inc.
>
> John Schwartz,  Exec Advisor, Authentication Services
>
> 21555 Oxnard St., Woodland Hills, California 91367
>
> O: (818) 234-6763 |
>
> [hidden email]
>
>
>
> -----Original Message-----
> From: Mark Pröhl [mailto:[hidden email]]
> Sent: Wednesday, January 30, 2019 4:22 AM
> To: Simo Sorce <[hidden email]>; Schwartz, John
> <[hidden email]>; [hidden email]
> Subject: Re: Question about excluding the PAC
>
>
>
> Some more tips/links:
>
>
>
> (1) You should check that no others kerberized services that require
>
>     service tickets with a PAC are associated with the same AD account
>
>     as your web service. It is best practice to use a dedicated AD
>
>     service account only for the HTTP principal.
>
>
>
> (2) Technically you need to modify the attribute userAccounControl of
>
>     the AD account that is associated with the HTTP principal. This
>
>     attribute is a bit-mask and you need to add the value 0x02000000
>
>     (ADS_UF_NO_AUTH_DATA_REQUIRED). See also:
>
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__msdn.microsoft.com_en-2Dus_library_cc223145.aspx&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=LrwfQR_dBBHJn0s3RDfGMWW58eADP-rBNVfMbQY-9as&e=.
>
>
>
> (3) IMO the easiest way to disable PAC is provided by msktutil
>
>     (https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_msktutil_msktutil&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=1BTHnzAv_4x44gZ12vV6jJu8-Q_oKrnXDkF6gfhW5Jc&e=).
>
>     Man msktutil and search for --no-pac
>
>
>
> (4) Users need to obtain new Kerberos tickets after this modification
>
>
>
> - Mark
>
>
>
>
>
> On 1/30/19 12:00 PM, Simo Sorce wrote:
>
> > The best and only way forward for you is to ask your AD admins to
> > disable PAC for your HTTP server. Then *all* clients will get
> > tickets w/o the PAC. You cannot do anything on the HTTP server, it
> > is too late, big tickets with PACs have already been sent to you.
> >
> > Regards,
> > Simo.
> >
> > On Tue, 2019-01-29 at 21:05 +0000, Schwartz, John wrote:
> > > The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.
> > >
> > > The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.
> > >
> > > No one needs to be a part of a couple of hundred or more groups.
> > >
> > > Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.
> > >
> > > They provider the variable that needs to be modified but do not say which header file it belongs to etc...
> > >
> > > Thanks,
> > >
> > > Anthem, Inc.
> > >
> > > John Schwartz,  Exec Advisor, Authentication Services
> > > 21555 Oxnard St., Woodland Hills, California 91367
> > > O: (818) 234-6763 |
> > > [hidden email]<mailto:[hidden email]>
> > >
> > >
> > > -----Original Message-----
> > > From: Mark Pröhl [mailto:[hidden email]]
> > > Sent: Tuesday, January 29, 2019 12:59 PM
> > > To: Schwartz, John
> > > <[hidden email]<mailto:[hidden email]>>;
> > > [hidden email]<mailto:[hidden email]>
> > > Subject: Re: Question about excluding the PAC
> > >
> > > Hi,
> > >
> > > I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.
> > > Maybe your implementation on Linux offers a similar way?
> > >
> > > Regards,
> > >
> > > Mark Pröhl
> > >
> > > On 1/25/19 10:56 PM, Schwartz, John wrote:
> > > > All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
> > > >
> > > > I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
> > > >
> > > > I see that kinit has the option "--no-request-pac"
> > > >
> > > > Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
> > > >
> > > > If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.
> > > >
> > > > Any assistance is greatly appreciated.
> > > >
> > > > Thank you,
> > > >
> > > > Anthem, Inc.
> > > >
> > > >
> > > >
> > > > John Schwartz,  Exec Advisor, Authentication Services
> > > > 21555 Oxnard St., Woodland Hills, California 91367
> > > > O: (818) 234-6763 |
> > > > [hidden email]<mailto:[hidden email]>
> > > >
> > > >
> > > >
> > > >
> > > > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > > > attachments, is for the sole use of the intended recipient(s)
> > > > and may contain confidential and privileged information or may
> > > > otherwise be protected by law. Any unauthorized review, use,
> > > > disclosure or distribution is prohibited. If you are not the
> > > > intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> > > > _______________________________________________
> > > > krbdev mailing list             [hidden email]<mailto:[hidden email]>
> > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit
> > > > .edu
> > > > _m
> > > > ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggAr
> > > > rKwg
> > > > 0X
> > > > CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD
> > > > 4rEp OY
> > > > P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=
> > > >
> > >
> > > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > > attachments, is for the sole use of the intended recipient(s) and
> > > may contain confidential and privileged information or may
> > > otherwise be protected by law. Any unauthorized review, use,
> > > disclosure or distribution is prohibited. If you are not the
> > > intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> > >
> > > _______________________________________________
> > > krbdev mailing list             [hidden email]<mailto:[hidden email]>
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.e
> > > du_
> > > mailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArr
> > > Kwg
> > > 0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6
> > > WTU fFDqsZlB01E&s=mr341WiEfuqUhilglICkxLItjrwWOJAPVXIybydI5nQ&e=
> >
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any
> attachments, is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information or may otherwise be
> protected by law. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient,
> please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_m
> ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0X
> CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=gNcf3OFwcjm4FVBzSCEzqbUFRvnURKWJEK5
> s0TYLem0&s=nezc5ifnQTUxfOqVxPPnp1K4GKxGuj9-wRsmeJ1OYmo&e=

--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc



CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: Question about excluding the PAC

Schwartz, John
Maybe it is working and I had different expectations.  It seems to have reduced the header size from about 6900 to 4500.  Is it normal for an authentication token (without authorization data) to be as much as 4500?  I was just comparing to NTLM which was closer to 20.

If that is normal, then this is good news and should greatly help.

Thanks again for all of your input.


Anthem, Inc.

John Schwartz,  Exec Advisor, Authentication Services
21555 Oxnard St., Woodland Hills, California 91367
O: (818) 234-6763 |
[hidden email]



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Schwartz, John
Sent: Monday, February 04, 2019 11:09 AM
To: Simo Sorce <[hidden email]>; Mark Pröhl <[hidden email]>; [hidden email]
Subject: RE: Question about excluding the PAC

Thanks. It does not seem to be working.  To be clear, I am trying to reduce this large http header to a simply authentication token.

Authorization: Negotiate YIINLwYGKwYBBQUCoIINIzCCDR+gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCDOkEggzlYIIM4QYJKoZIhvcSAQICAQBuggzQMIIMzKADAgEFoQMCAQ6iBwMFACAAAACjggGvYYIBqzCCAaegAwIBBaEVGxNVUy5BRC5XRUxMUE9JTlQuQ09NojYwNKADAgECoS0wKxsESFRUUBsjc2VjdXJlLWdhdGV3YXkuZGV2LnZhLmFudGhlbWluYy5jb22jggFPMIIBS6ADAgEXoQMCAQWiggE9BIIBOSL6bB3urBLVN3MRjC2AN4ZtUVqab33fF1SPbdyH1AbtAm1sfFXu8cHqUMelQtjmiBSxf/Psn4WYE3mKzuasgNOXAV+FYTu2BELizDuPBHE2aETImxNoYtUYvCjZb+WUDxK1geo3uBdBGpwOZp3rm/gJMnqPheGmYZH65DuDkIGR0d4LOXE9sR9mHnk8HK+d0E9wsf+RvbKmffmawl0+Y1ez9K2PwJNuKpKcLrYIXCaA0Wx/JFN1ZVZxnvpjQSXWMJkcaJFiiKjkAeoMToEYlPhwtPepyYYg8yFVD5YZz/FuZ1kq0XFuHjJGGgBvyIcc8z3LGne6dsWFq4mhwqsy0FH5EWgUSWKo9omxd9oBc7ixMFMB7/lbDkaCRWfYdkJAti6tMqOnpVpQtO+K+6aEXsiATMHWV6eSRy2kggsCMIIK/qADAgEXooIK9QSCCvEBhZETpx08PBGO/3tQmuzhYYhdYp9pkw/hML22iMSod581JXJdi6Z59ca5kOmMshI5j/NAiSQM7V9r6sbG/j4sIh3uTV28u+2eWadbSxERjQJc4qAM56A2M2eVe552tDM8yUVXydnlSDzW1uaeGxb5IDqcKsDw4G9iQhUQxD/O8ssdKw+R1lbmM8AHncbinO8RTwLrCM+MwDea1+q8h6YkLjyIFqOmA7LFGQDZBS8SR6DPjwp14u/wYBFOElwZZNezAGCpiClZF+Py3l48hPl1h2rWEpOnKvBjv3EFRpH1mEFUFUah1PFopOb2eMpApIPyuhgvEfI/rNWz0W8eLtjDvdC2HiIH7TtL4usNwHpfluf5QcOSFlmUrWGg3t30A9a36KUB9l5huC/zFmUnp6Hoag359rCt2fEpFpMtPUR9SlZSCjN554pLcJ4PqaSsiVjr61MBkyaPYmDMwq+7V7v9YlgeDGkAYeMkuv3rVJdQLWBAeiC7UQsQQEWX+i3vU9s9rn0+2owz0zJZmD7SsiZczEiElK/1Y5OxQj9Kvz52LiYHNie7OeH7UTo21aYGivE5YeI6X4C0ajIRdENFI+SpPDp8ySvJvm1KZt+JtQ7/jj5aoza20O1sguJHM24MyWpjLSfd/AChFpKkp5d0b/R0o4JtTCYgznXoA1Z0d32vwCWAgb+KxD+6iksKp3n9fjIN189XelL6h59N7Fiea8mLbgErvBjCCQUVGQ8eX+FU8Phv4Omsblid8MWthR/jPgnLOfLt8rPtDZ2uRTXVGCbIQn9NhIVYQfikuowhDD8WArYlHysnFAXL0BpG8OXyzgpEdO9UVTvi95dlk5VUoIhkB67z85UvYPAlJ130UE7E7ECvnrJGRPkqKuHddah3tkFMu6vRNPscyIsFkCzPnadZkUoPm+iX8ZV025ErqtJaJ/zF51sSF7mVOaGqTLeQZwJNAp1b4vZiXDDXr1xRRdO9JD8vr0r3cT2GNslaLvm77rPKSeGKWx9y99OJEGoJIvV+3wff8UINUajcGSY6Tzk00eU58xkny5Qmk63DzBKQR6emFt1oyeKQ82w+KJRmnZ1AwPNyxkO985eKG0eoPPeaZWWMz5eKObo8UZvvOloUdTZ2ljSe72sLz9QNHVoovU0XdlAzBjXsokWp7LXf5DQu/G/voeazynlnC9IdxtUgp+Eb5uMZtBIfiB2H9897/byXx2F1B8AaPN1uUFQ3Oifus+lEdgwu5a25Ia2

RvRQbGw0Y4qXFHgy3GaZysEFOu2Dlcxtu/8jQwJSc/KusBqOOZpVuwDew8u9C94m9VaOHXtB/h3kZK1naZ2h0+lb8J8Y9STqGU2/LsMy4doesWoWFv95Sxx07pRHlq/mO6aoDm+Tz4YdWZfi2yC86eVFTcws3iC8EhXpNYVMiYEc/qyzzHFTJ/WNv+0KuShFf9m6YGbUr8UyC6WLp9kKOA//tQm5G06nvDz9YggB86M1oO8nJRNxsOW+lLUQXH/oj+JU1SggZIT7hG+H4MQncMQ5wtWDBrYi2MbGTBkIOM3+sqeDWbAJV2tsduWNI2/hCbdE97p7+aY1JI3XANktEBqBSya1WojoovADrmxMW6NV944ZPBp7y7lYuhXmpzx7FKf5ZUwHgWT4WBUmr0GTjMP3a1XBBqvES3GJxdzbtULLgzZdsxhvZ+gT6xG+0xl58AliAtw42BAh2s10zi10OdyiSjV8VNFixvwTIw350WmFvIpf5dHKTzktdskADkkH4d8BHnkMJ4WdPCnMdcp39Vaxz2uloYPbM9hWG423T095uf/VMN7OHW9jZja03Ww1w03yS7i0mpS8ukwNPki3nHVm2b0CafxexMVkpAk098+trNZA1+Mhr9jKySuNTQczoDn5HJiq1OlxcxbB36YmidURPp/iDnb4ZZ9L0NKndbJylG1cqTr9lcQ/xe/5cVzOtjooOH3J9zlLwHySYrLcNgdnH7Qsqh8ePswjO923e/Uad5iJWtfw7UXmPYJRwm0osS+GM6WqJ6x2sysaav6N4Hw4T85BA8GHyqCJcpC6di6U8xvn68cs6o3E3J1Im6fKQ0XPbVMUDIsjEi0OBPkvJNK5Dr2hZ8qMg4rWKJlCMKAumtDd5GuF1qpcIfB7YaoSGzPK45NeCgD81wAA+xi32PFUHk9sHedG7N0ihbv7G79KjQJ1/LlMpyvBbodB0CV3fKEDYLXwn4V8/RpzQTBQRB7RhlEuLCksfGUGurCA1oPHnguxGq5v9dPmKTM+GrKIDVFkOBGUK/CAU+HF0dFKfAx7cttqvbSbML1I8j73vGFuTbQcbDXg7pW6SFh1dvCoFu4o13zjMkVoc4ectoGHsm0iLxSmKQ4gH9X3AaSa63SxFlNTXlU5QOlRhOwvBC2ePQnrSSrAuv/F0/hbL4iwoM1XG5hUmpbhNCcMu1pbnICKELZ1oX5t4EaUs6/hP+zu9xv9A2NUZ54n3mSt8gw5KdToEE29cTmEj0QEbyon0Qdaf5mAlrQfPFIV42Odl67uFHOPIeV6gNY759DgC6a7iYGstE106O9/0T1pCdwEuqTrxEJYUZDGvLpKZp8RxuAeVgHoBpLW/4TkMaOO+VWkso4h8wENpQCbY6giDIwyW5ntTihilDAjm994FpOYBm1M8QdBom23uQ/uFF+6A/jRvPRt0kptR6rHmNl15jQtbwHIFfYVUYFdB6HQ90z1/9mBTaezS12KGPkuT5sbBy3I0m91rxLuNb9WczwFv62DHO7PB3vE6xHNxtzrc6U3Ci7TfpX2WhVnNYVavHWYCqpEwfh/oLdN5rmwzDPgM9El550XTgJp0/Wik6Mp8xDR/BYHbMd0RfadJRBHXi5dY8/Ngf5mtOcgQkAiHpMgb1T8zhIEdP1T094a9nZu9n764UbcEF+BlQPqVQ+h/CPo2MuNWv7J/tEEFNglzHbh8dQw7Fw5EaYn+DPiNgEZhOBydvhK1sG5tx5RUiNS/Vo5qYiLA6voOVjd+xXoc6SI/a/KMf9voow4YnI1e8RQLsfiiJx/rtHquQB6zqrlgqy7wJg3Ak5BKSAXrkXt1zZI6HQXJL0yURQt+e4acB1P91ZxmnTBcTdfkSEOXbjLG+yzr+E/wy3RHyDcKV0+7nBB/a4QYPBMlEekn1CC0A77I1ChYNMenSTIOcIoL5lUbVOaMHBjWPKSMRj2pWQ8YgPMh/P9a+Cc99l0GT6ZvzAAlfzqiVHT5n1QB3TFcQXRYyTc40Iagnv8N2kiNJduMrguyTb4wbjt97n4/aYt0fj93pr8vjZN

38Elcaixq10/i6jesOsRB6eGFoHVDEgobkigXG2A6LlCjveH/ujhqj3leT35Ah2ts3LJ8HKEgLDjGCTZG0Mw+yTJz4fiB+S4fbE9hZ51lne77sexZbDgLBs97yTrZaisOFCIyeylGzE1ZxQCD7uHF3cGa/DZPG7R+uMxWskFnoWmEGzVVH3UsCjs1PnGywpeut8NPsk7ma3neHqurNaTGzmfSsQNBdw/lSp2q1bn6N72DZ7GQ5+FPiD5EgG1WQfb1uOkbCDvMlyHVS493jlTRfWwYIgH5rTvcejM97dY1u88HBmA13VDlL6/jNvVyEg33JCJDKNWDvJQc/LTOgf7yHbLhkzmKivACaoK05kwEE67f4yFcocukaGzVd5UhxXKt1pxIAnx5n0VQ0PVwmJ5OBVN96pcKxDKcSLVSjqBcACiYnZ/daw==

Anthem, Inc.

John Schwartz,  Exec Advisor, Authentication Services
21555 Oxnard St., Woodland Hills, California 91367
O: (818) 234-6763 |
[hidden email]


-----Original Message-----
From: Simo Sorce [mailto:[hidden email]]
Sent: Monday, February 04, 2019 6:13 AM
To: Schwartz, John <[hidden email]>; Mark Pröhl <[hidden email]>; [hidden email]
Subject: Re: Question about excluding the PAC

You need to obtain new tickets, so you either purge the tickets you have, or you can simply logout and log back in to get a clean slate.

On Sat, 2019-02-02 at 19:51 +0000, Schwartz, John wrote:

> Hi guys, I had the recommend flag set on the service account and it does not appear to have the desired effect. Would you know if any services need to be restarted or cache cleared?
>
>
>
> It is still passing the authorization data for my account.
>
>
>
> [cid:image001.png@01D4BAED.A0583DA0]
>
>
>
> Anthem, Inc.
>
> John Schwartz,  Exec Advisor, Authentication Services
>
> 21555 Oxnard St., Woodland Hills, California 91367
>
> O: (818) 234-6763 |
>
> [hidden email]
>
>
>
> -----Original Message-----
> From: Mark Pröhl [mailto:[hidden email]]
> Sent: Wednesday, January 30, 2019 4:22 AM
> To: Simo Sorce <[hidden email]>; Schwartz, John
> <[hidden email]>; [hidden email]
> Subject: Re: Question about excluding the PAC
>
>
>
> Some more tips/links:
>
>
>
> (1) You should check that no others kerberized services that require
>
>     service tickets with a PAC are associated with the same AD account
>
>     as your web service. It is best practice to use a dedicated AD
>
>     service account only for the HTTP principal.
>
>
>
> (2) Technically you need to modify the attribute userAccounControl of
>
>     the AD account that is associated with the HTTP principal. This
>
>     attribute is a bit-mask and you need to add the value 0x02000000
>
>     (ADS_UF_NO_AUTH_DATA_REQUIRED). See also:
>
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__msdn.microsoft.com_en-2Dus_library_cc223145.aspx&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=LrwfQR_dBBHJn0s3RDfGMWW58eADP-rBNVfMbQY-9as&e=.
>
>
>
> (3) IMO the easiest way to disable PAC is provided by msktutil
>
>     (https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_msktutil_msktutil&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=1BTHnzAv_4x44gZ12vV6jJu8-Q_oKrnXDkF6gfhW5Jc&e=).
>
>     Man msktutil and search for --no-pac
>
>
>
> (4) Users need to obtain new Kerberos tickets after this modification
>
>
>
> - Mark
>
>
>
>
>
> On 1/30/19 12:00 PM, Simo Sorce wrote:
>
> > The best and only way forward for you is to ask your AD admins to
> > disable PAC for your HTTP server. Then *all* clients will get
> > tickets w/o the PAC. You cannot do anything on the HTTP server, it
> > is too late, big tickets with PACs have already been sent to you.
> >
> > Regards,
> > Simo.
> >
> > On Tue, 2019-01-29 at 21:05 +0000, Schwartz, John wrote:
> > > The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.
> > >
> > > The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.
> > >
> > > No one needs to be a part of a couple of hundred or more groups.
> > >
> > > Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.
> > >
> > > They provider the variable that needs to be modified but do not say which header file it belongs to etc...
> > >
> > > Thanks,
> > >
> > > Anthem, Inc.
> > >
> > > John Schwartz,  Exec Advisor, Authentication Services
> > > 21555 Oxnard St., Woodland Hills, California 91367
> > > O: (818) 234-6763 |
> > > [hidden email]<mailto:[hidden email]>
> > >
> > >
> > > -----Original Message-----
> > > From: Mark Pröhl [mailto:[hidden email]]
> > > Sent: Tuesday, January 29, 2019 12:59 PM
> > > To: Schwartz, John
> > > <[hidden email]<mailto:[hidden email]>>;
> > > [hidden email]<mailto:[hidden email]>
> > > Subject: Re: Question about excluding the PAC
> > >
> > > Hi,
> > >
> > > I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.
> > > Maybe your implementation on Linux offers a similar way?
> > >
> > > Regards,
> > >
> > > Mark Pröhl
> > >
> > > On 1/25/19 10:56 PM, Schwartz, John wrote:
> > > > All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
> > > >
> > > > I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
> > > >
> > > > I see that kinit has the option "--no-request-pac"
> > > >
> > > > Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
> > > >
> > > > If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.
> > > >
> > > > Any assistance is greatly appreciated.
> > > >
> > > > Thank you,
> > > >
> > > > Anthem, Inc.
> > > >
> > > >
> > > >
> > > > John Schwartz,  Exec Advisor, Authentication Services
> > > > 21555 Oxnard St., Woodland Hills, California 91367
> > > > O: (818) 234-6763 |
> > > > [hidden email]<mailto:[hidden email]>
> > > >
> > > >
> > > >
> > > >
> > > > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > > > attachments, is for the sole use of the intended recipient(s)
> > > > and may contain confidential and privileged information or may
> > > > otherwise be protected by law. Any unauthorized review, use,
> > > > disclosure or distribution is prohibited. If you are not the
> > > > intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> > > > _______________________________________________
> > > > krbdev mailing list             [hidden email]<mailto:[hidden email]>
> > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit
> > > > .edu
> > > > _m
> > > > ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggAr
> > > > rKwg
> > > > 0X
> > > > CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD
> > > > 4rEp OY
> > > > P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=
> > > >
> > >
> > > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > > attachments, is for the sole use of the intended recipient(s) and
> > > may contain confidential and privileged information or may
> > > otherwise be protected by law. Any unauthorized review, use,
> > > disclosure or distribution is prohibited. If you are not the
> > > intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> > >
> > > _______________________________________________
> > > krbdev mailing list             [hidden email]<mailto:[hidden email]>
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.e
> > > du_
> > > mailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArr
> > > Kwg
> > > 0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6
> > > WTU fFDqsZlB01E&s=mr341WiEfuqUhilglICkxLItjrwWOJAPVXIybydI5nQ&e=
> >
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any
> attachments, is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information or may otherwise be
> protected by law. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient,
> please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_m
> ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0X
> CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=gNcf3OFwcjm4FVBzSCEzqbUFRvnURKWJEK5
> s0TYLem0&s=nezc5ifnQTUxfOqVxPPnp1K4GKxGuj9-wRsmeJ1OYmo&e=

--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc



CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or may otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.

_______________________________________________
krbdev mailing list             [hidden email]
https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_mailman_listinfo_krbdev&d=DwIGaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=MqKNhUH1wuNNIMKfKjQ86UAAbvD_43eMEQfUI7dMpgA&s=4rjTbl1FgQROsqBHC8AkIV_T9_0lBbts9pY0P0AZ4TU&e=

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Question about excluding the PAC

Andrew Bartlett
On Mon, 2019-02-04 at 19:32 +0000, Schwartz, John wrote:
> Maybe it is working and I had different expectations.  It seems to
> have reduced the header size from about 6900 to 4500.  Is it normal
> for an authentication token (without authorization data) to be as
> much as 4500?  I was just comparing to NTLM which was closer to 20.

Off tangent, but to reset expectations, an NTLM header of 20 bytes
would be just the first 'type 1' or NtLmNegotiate packet, which hasn't
got any useful info in it.  The NtLmChallenge is bigger and
the NtLmAuthenticate is hundreds of bytes.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: Question about excluding the PAC

Schwartz, John
Ok. I was estimating :)  thanks for the feedback.

Anthem, Inc.

John Schwartz,  Exec Advisor, Authentication Services
21555 Oxnard St., Woodland Hills, California 91367
O: (818) 234-6763 |
[hidden email]


-----Original Message-----
From: Andrew Bartlett [mailto:[hidden email]]
Sent: Monday, February 04, 2019 12:29 PM
To: Schwartz, John <[hidden email]>; Simo Sorce <[hidden email]>; Mark Pröhl <[hidden email]>; [hidden email]
Subject: Re: Question about excluding the PAC

On Mon, 2019-02-04 at 19:32 +0000, Schwartz, John wrote:
> Maybe it is working and I had different expectations.  It seems to
> have reduced the header size from about 6900 to 4500.  Is it normal
> for an authentication token (without authorization data) to be as much
> as 4500?  I was just comparing to NTLM which was closer to 20.

Off tangent, but to reset expectations, an NTLM header of 20 bytes would be just the first 'type 1' or NtLmNegotiate packet, which hasn't got any useful info in it.  The NtLmChallenge is bigger and the NtLmAuthenticate is hundreds of bytes.

Andrew Bartlett

--
Andrew Bartlett                       https://urldefense.proofpoint.com/v2/url?u=http-3A__samba.org_-7Eabartlet_&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=x-ibRTkDeAb79nUeCss7ZHsTpbWldAl2YQ9IGo4Aal4&s=Q7F6G8YUNCbuQdLhO3FFEF9k0w7cKrvMaeLDfea9By0&e=
Authentication Developer, Samba Team  https://urldefense.proofpoint.com/v2/url?u=http-3A__samba.org&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=x-ibRTkDeAb79nUeCss7ZHsTpbWldAl2YQ9IGo4Aal4&s=-eicabDHfbguJm5GcCKJLi8oTtfIJ4O5ETGHpZesl7A&e=
Samba Developer, Catalyst IT          https://urldefense.proofpoint.com/v2/url?u=http-3A__catalyst.net.nz_services_samba&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=x-ibRTkDeAb79nUeCss7ZHsTpbWldAl2YQ9IGo4Aal4&s=wq97fnwVfBdVVn75C_raVR7lZQ3hXBbgmdHDrXOrqHg&e=




CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: Question about excluding the PAC

Schwartz, John
In reply to this post by Andrew Bartlett
I do see the secondary NTLM header and it is closer to 350 characters.

Thanks for pointing that out.

Anthem, Inc.

John Schwartz,  Exec Advisor, Authentication Services
21555 Oxnard St., Woodland Hills, California 91367
O: (818) 234-6763 |
[hidden email]



-----Original Message-----
From: Andrew Bartlett [mailto:[hidden email]]
Sent: Monday, February 04, 2019 12:29 PM
To: Schwartz, John <[hidden email]>; Simo Sorce <[hidden email]>; Mark Pröhl <[hidden email]>; [hidden email]
Subject: Re: Question about excluding the PAC

On Mon, 2019-02-04 at 19:32 +0000, Schwartz, John wrote:
> Maybe it is working and I had different expectations.  It seems to
> have reduced the header size from about 6900 to 4500.  Is it normal
> for an authentication token (without authorization data) to be as much
> as 4500?  I was just comparing to NTLM which was closer to 20.

Off tangent, but to reset expectations, an NTLM header of 20 bytes would be just the first 'type 1' or NtLmNegotiate packet, which hasn't got any useful info in it.  The NtLmChallenge is bigger and the NtLmAuthenticate is hundreds of bytes.

Andrew Bartlett

--
Andrew Bartlett                       https://urldefense.proofpoint.com/v2/url?u=http-3A__samba.org_-7Eabartlet_&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=x-ibRTkDeAb79nUeCss7ZHsTpbWldAl2YQ9IGo4Aal4&s=Q7F6G8YUNCbuQdLhO3FFEF9k0w7cKrvMaeLDfea9By0&e=
Authentication Developer, Samba Team  https://urldefense.proofpoint.com/v2/url?u=http-3A__samba.org&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=x-ibRTkDeAb79nUeCss7ZHsTpbWldAl2YQ9IGo4Aal4&s=-eicabDHfbguJm5GcCKJLi8oTtfIJ4O5ETGHpZesl7A&e=
Samba Developer, Catalyst IT          https://urldefense.proofpoint.com/v2/url?u=http-3A__catalyst.net.nz_services_samba&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=x-ibRTkDeAb79nUeCss7ZHsTpbWldAl2YQ9IGo4Aal4&s=wq97fnwVfBdVVn75C_raVR7lZQ3hXBbgmdHDrXOrqHg&e=




CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Question about excluding the PAC

Simo Sorce-3
In reply to this post by Schwartz, John
Are you delegating credentials by chance? (forwarding a TGT).

On Mon, 2019-02-04 at 19:32 +0000, Schwartz, John wrote:

> Maybe it is working and I had different expectations.  It seems to have reduced the header size from about 6900 to 4500.  Is it normal for an authentication token (without authorization data) to be as much as 4500?  I was just comparing to NTLM which was closer to 20.
>
> If that is normal, then this is good news and should greatly help.
>
> Thanks again for all of your input.
>
>
> Anthem, Inc.
>
> John Schwartz,  Exec Advisor, Authentication Services
> 21555 Oxnard St., Woodland Hills, California 91367
> O: (818) 234-6763 |
> [hidden email]
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Schwartz, John
> Sent: Monday, February 04, 2019 11:09 AM
> To: Simo Sorce <[hidden email]>; Mark Pröhl <[hidden email]>; [hidden email]
> Subject: RE: Question about excluding the PAC
>
> Thanks. It does not seem to be working.  To be clear, I am trying to reduce this large http header to a simply authentication token.
>
> Authorization: Negotiate YIINLwYGKwYBBQUCoIINIzCCDR+gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCDOkEggzlYIIM4QYJKoZIhvcSAQICAQBuggzQMIIMzKADAgEFoQMCAQ6iBwMFACAAAACjggGvYYIBqzCCAaegAwIBBaEVGxNVUy5BRC5XRUxMUE9JTlQuQ09NojYwNKADAgECoS0wKxsESFRUUBsjc2VjdXJlLWdhdGV3YXkuZGV2LnZhLmFudGhlbWluYy5jb22jggFPMIIBS6ADAgEXoQMCAQWiggE9BIIBOSL6bB3urBLVN3MRjC2AN4ZtUVqab33fF1SPbdyH1AbtAm1sfFXu8cHqUMelQtjmiBSxf/Psn4WYE3mKzuasgNOXAV+FYTu2BELizDuPBHE2aETImxNoYtUYvCjZb+WUDxK1geo3uBdBGpwOZp3rm/gJMnqPheGmYZH65DuDkIGR0d4LOXE9sR9mHnk8HK+d0E9wsf+RvbKmffmawl0+Y1ez9K2PwJNuKpKcLrYIXCaA0Wx/JFN1ZVZxnvpjQSXWMJkcaJFiiKjkAeoMToEYlPhwtPepyYYg8yFVD5YZz/FuZ1kq0XFuHjJGGgBvyIcc8z3LGne6dsWFq4mhwqsy0FH5EWgUSWKo9omxd9oBc7ixMFMB7/lbDkaCRWfYdkJAti6tMqOnpVpQtO+K+6aEXsiATMHWV6eSRy2kggsCMIIK/qADAgEXooIK9QSCCvEBhZETpx08PBGO/3tQmuzhYYhdYp9pkw/hML22iMSod581JXJdi6Z59ca5kOmMshI5j/NAiSQM7V9r6sbG/j4sIh3uTV28u+2eWadbSxERjQJc4qAM56A2M2eVe552tDM8yUVXydnlSDzW1uaeGxb5IDqcKsDw4G9iQhUQxD/O8ssdKw+R1lbmM8AHncbinO8RTwLrCM+MwDea1+q8h6YkLjyIFqOmA7LFGQDZBS8SR6DPjwp14u/wYBFOElwZZNezAGCpiClZF+Py3l48hPl1h2rWEpOnKvBjv3EFRpH1mEFUFUah1PFopOb2eMpApIPyuhgvEfI/rNWz0W8eLtjDvdC2HiIH7TtL4usNwHpfluf5QcOSFlmUrWGg3t30A9a36KUB9l5huC/zFmUnp6Hoag359rCt2fEpFpMtPUR9SlZSCjN554pLcJ4PqaSsiVjr61MBkyaPYmDMwq+7V7v9YlgeDGkAYeMkuv3rVJdQLWBAeiC7UQsQQEWX+i3vU9s9rn0+2owz0zJZmD7SsiZczEiElK/1Y5OxQj9Kvz52LiYHNie7OeH7UTo21aYGivE5YeI6X4C0ajIRdENFI+SpPDp8ySvJvm1KZt+JtQ7/jj5aoza20O1sguJHM24MyWpjLSfd/AChFpKkp5d0b/R0o4JtTCYgznXoA1Z0d32vwCWAgb+KxD+6iksKp3n9fjIN189XelL6h59N7Fiea8mLbgErvBjCCQUVGQ8eX+FU8Phv4Omsblid8MWthR/jPgnLOfLt8rPtDZ2uRTXVGCbIQn9NhIVYQfikuowhDD8WArYlHysnFAXL0BpG8OXyzgpEdO9UVTvi95dlk5VUoIhkB67z85UvYPAlJ130UE7E7ECvnrJGRPkqKuHddah3tkFMu6vRNPscyIsFkCzPnadZkUoPm+iX8ZV025ErqtJaJ/zF51sSF7mVOaGqTLeQZwJNAp1b4vZiXDDXr1xRRdO9JD8vr0r3cT2GNslaLvm77rPKSeGKWx9y99OJEGoJIvV+3wff8UINUajcGSY6Tzk00eU58xkny5Qmk63DzBKQR6emFt1oyeKQ82w+KJRmnZ1AwPNyxkO985eKG0eoPPeaZWWMz5eKObo8UZvvOloUdTZ2ljSe72sLz9QNHVoovU0XdlAzBjXsokWp7LXf5DQu/G/voeazynlnC9IdxtUgp+Eb5uMZtBIfiB2H9897/byXx2F1B8AaPN1uUFQ3Oifus+lEdgwu5a25Ia2
> RvRQbGw0Y4qXFHgy3GaZysEFOu2Dlcxtu/8jQwJSc/KusBqOOZpVuwDew8u9C94m9VaOHXtB/h3kZK1naZ2h0+lb8J8Y9STqGU2/LsMy4doesWoWFv95Sxx07pRHlq/mO6aoDm+Tz4YdWZfi2yC86eVFTcws3iC8EhXpNYVMiYEc/qyzzHFTJ/WNv+0KuShFf9m6YGbUr8UyC6WLp9kKOA//tQm5G06nvDz9YggB86M1oO8nJRNxsOW+lLUQXH/oj+JU1SggZIT7hG+H4MQncMQ5wtWDBrYi2MbGTBkIOM3+sqeDWbAJV2tsduWNI2/hCbdE97p7+aY1JI3XANktEBqBSya1WojoovADrmxMW6NV944ZPBp7y7lYuhXmpzx7FKf5ZUwHgWT4WBUmr0GTjMP3a1XBBqvES3GJxdzbtULLgzZdsxhvZ+gT6xG+0xl58AliAtw42BAh2s10zi10OdyiSjV8VNFixvwTIw350WmFvIpf5dHKTzktdskADkkH4d8BHnkMJ4WdPCnMdcp39Vaxz2uloYPbM9hWG423T095uf/VMN7OHW9jZja03Ww1w03yS7i0mpS8ukwNPki3nHVm2b0CafxexMVkpAk098+trNZA1+Mhr9jKySuNTQczoDn5HJiq1OlxcxbB36YmidURPp/iDnb4ZZ9L0NKndbJylG1cqTr9lcQ/xe/5cVzOtjooOH3J9zlLwHySYrLcNgdnH7Qsqh8ePswjO923e/Uad5iJWtfw7UXmPYJRwm0osS+GM6WqJ6x2sysaav6N4Hw4T85BA8GHyqCJcpC6di6U8xvn68cs6o3E3J1Im6fKQ0XPbVMUDIsjEi0OBPkvJNK5Dr2hZ8qMg4rWKJlCMKAumtDd5GuF1qpcIfB7YaoSGzPK45NeCgD81wAA+xi32PFUHk9sHedG7N0ihbv7G79KjQJ1/LlMpyvBbodB0CV3fKEDYLXwn4V8/RpzQTBQRB7RhlEuLCksfGUGurCA1oPHnguxGq5v9dPmKTM+GrKIDVFkOBGUK/CAU+HF0dFKfAx7cttqvbSbML1I8j73vGFuTbQcbDXg7pW6SFh1dvCoFu4o13zjMkVoc4ectoGHsm0iLxSmKQ4gH9X3AaSa63SxFlNTXlU5QOlRhOwvBC2ePQnrSSrAuv/F0/hbL4iwoM1XG5hUmpbhNCcMu1pbnICKELZ1oX5t4EaUs6/hP+zu9xv9A2NUZ54n3mSt8gw5KdToEE29cTmEj0QEbyon0Qdaf5mAlrQfPFIV42Odl67uFHOPIeV6gNY759DgC6a7iYGstE106O9/0T1pCdwEuqTrxEJYUZDGvLpKZp8RxuAeVgHoBpLW/4TkMaOO+VWkso4h8wENpQCbY6giDIwyW5ntTihilDAjm994FpOYBm1M8QdBom23uQ/uFF+6A/jRvPRt0kptR6rHmNl15jQtbwHIFfYVUYFdB6HQ90z1/9mBTaezS12KGPkuT5sbBy3I0m91rxLuNb9WczwFv62DHO7PB3vE6xHNxtzrc6U3Ci7TfpX2WhVnNYVavHWYCqpEwfh/oLdN5rmwzDPgM9El550XTgJp0/Wik6Mp8xDR/BYHbMd0RfadJRBHXi5dY8/Ngf5mtOcgQkAiHpMgb1T8zhIEdP1T094a9nZu9n764UbcEF+BlQPqVQ+h/CPo2MuNWv7J/tEEFNglzHbh8dQw7Fw5EaYn+DPiNgEZhOBydvhK1sG5tx5RUiNS/Vo5qYiLA6voOVjd+xXoc6SI/a/KMf9voow4YnI1e8RQLsfiiJx/rtHquQB6zqrlgqy7wJg3Ak5BKSAXrkXt1zZI6HQXJL0yURQt+e4acB1P91ZxmnTBcTdfkSEOXbjLG+yzr+E/wy3RHyDcKV0+7nBB/a4QYPBMlEekn1CC0A77I1ChYNMenSTIOcIoL5lUbVOaMHBjWPKSMRj2pWQ8YgPMh/P9a+Cc99l0GT6ZvzAAlfzqiVHT5n1QB3TFcQXRYyTc40Iagnv8N2kiNJduMrguyTb4wbjt97n4/aYt0fj93pr8vjZN
> 38Elcaixq10/i6jesOsRB6eGFoHVDEgobkigXG2A6LlCjveH/ujhqj3leT35Ah2ts3LJ8HKEgLDjGCTZG0Mw+yTJz4fiB+S4fbE9hZ51lne77sexZbDgLBs97yTrZaisOFCIyeylGzE1ZxQCD7uHF3cGa/DZPG7R+uMxWskFnoWmEGzVVH3UsCjs1PnGywpeut8NPsk7ma3neHqurNaTGzmfSsQNBdw/lSp2q1bn6N72DZ7GQ5+FPiD5EgG1WQfb1uOkbCDvMlyHVS493jlTRfWwYIgH5rTvcejM97dY1u88HBmA13VDlL6/jNvVyEg33JCJDKNWDvJQc/LTOgf7yHbLhkzmKivACaoK05kwEE67f4yFcocukaGzVd5UhxXKt1pxIAnx5n0VQ0PVwmJ5OBVN96pcKxDKcSLVSjqBcACiYnZ/daw==
>
> Anthem, Inc.
>
> John Schwartz,  Exec Advisor, Authentication Services
> 21555 Oxnard St., Woodland Hills, California 91367
> O: (818) 234-6763 |
> [hidden email]
>
>
> -----Original Message-----
> From: Simo Sorce [mailto:[hidden email]]
> Sent: Monday, February 04, 2019 6:13 AM
> To: Schwartz, John <[hidden email]>; Mark Pröhl <[hidden email]>; [hidden email]
> Subject: Re: Question about excluding the PAC
>
> You need to obtain new tickets, so you either purge the tickets you have, or you can simply logout and log back in to get a clean slate.
>
> On Sat, 2019-02-02 at 19:51 +0000, Schwartz, John wrote:
> > Hi guys, I had the recommend flag set on the service account and it does not appear to have the desired effect. Would you know if any services need to be restarted or cache cleared?
> >
> >
> >
> > It is still passing the authorization data for my account.
> >
> >
> >
> > [cid:image001.png@01D4BAED.A0583DA0]
> >
> >
> >
> > Anthem, Inc.
> >
> > John Schwartz,  Exec Advisor, Authentication Services
> >
> > 21555 Oxnard St., Woodland Hills, California 91367
> >
> > O: (818) 234-6763 |
> >
> > [hidden email]
> >
> >
> >
> > -----Original Message-----
> > From: Mark Pröhl [mailto:[hidden email]]
> > Sent: Wednesday, January 30, 2019 4:22 AM
> > To: Simo Sorce <[hidden email]>; Schwartz, John
> > <[hidden email]>; [hidden email]
> > Subject: Re: Question about excluding the PAC
> >
> >
> >
> > Some more tips/links:
> >
> >
> >
> > (1) You should check that no others kerberized services that require
> >
> >     service tickets with a PAC are associated with the same AD account
> >
> >     as your web service. It is best practice to use a dedicated AD
> >
> >     service account only for the HTTP principal.
> >
> >
> >
> > (2) Technically you need to modify the attribute userAccounControl of
> >
> >     the AD account that is associated with the HTTP principal. This
> >
> >     attribute is a bit-mask and you need to add the value 0x02000000
> >
> >     (ADS_UF_NO_AUTH_DATA_REQUIRED). See also:
> >
> >     https://urldefense.proofpoint.com/v2/url?u=https-3A__msdn.microsoft.com_en-2Dus_library_cc223145.aspx&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=LrwfQR_dBBHJn0s3RDfGMWW58eADP-rBNVfMbQY-9as&e=.
> >
> >
> >
> > (3) IMO the easiest way to disable PAC is provided by msktutil
> >
> >     (https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_msktutil_msktutil&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=1BTHnzAv_4x44gZ12vV6jJu8-Q_oKrnXDkF6gfhW5Jc&e=).
> >
> >     Man msktutil and search for --no-pac
> >
> >
> >
> > (4) Users need to obtain new Kerberos tickets after this modification
> >
> >
> >
> > - Mark
> >
> >
> >
> >
> >
> > On 1/30/19 12:00 PM, Simo Sorce wrote:
> >
> > > The best and only way forward for you is to ask your AD admins to
> > > disable PAC for your HTTP server. Then *all* clients will get
> > > tickets w/o the PAC. You cannot do anything on the HTTP server, it
> > > is too late, big tickets with PACs have already been sent to you.
> > >
> > > Regards,
> > > Simo.
> > >
> > > On Tue, 2019-01-29 at 21:05 +0000, Schwartz, John wrote:
> > > > The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.
> > > >
> > > > The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.
> > > >
> > > > No one needs to be a part of a couple of hundred or more groups.
> > > >
> > > > Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.
> > > >
> > > > They provider the variable that needs to be modified but do not say which header file it belongs to etc...
> > > >
> > > > Thanks,
> > > >
> > > > Anthem, Inc.
> > > >
> > > > John Schwartz,  Exec Advisor, Authentication Services
> > > > 21555 Oxnard St., Woodland Hills, California 91367
> > > > O: (818) 234-6763 |
> > > > [hidden email]<mailto:[hidden email]>
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Mark Pröhl [mailto:[hidden email]]
> > > > Sent: Tuesday, January 29, 2019 12:59 PM
> > > > To: Schwartz, John
> > > > <[hidden email]<mailto:[hidden email]>>;
> > > > [hidden email]<mailto:[hidden email]>
> > > > Subject: Re: Question about excluding the PAC
> > > >
> > > > Hi,
> > > >
> > > > I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.
> > > > Maybe your implementation on Linux offers a similar way?
> > > >
> > > > Regards,
> > > >
> > > > Mark Pröhl
> > > >
> > > > On 1/25/19 10:56 PM, Schwartz, John wrote:
> > > > > All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.
> > > > >
> > > > > I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.
> > > > >
> > > > > I see that kinit has the option "--no-request-pac"
> > > > >
> > > > > Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
> > > > >
> > > > > If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.
> > > > >
> > > > > Any assistance is greatly appreciated.
> > > > >
> > > > > Thank you,
> > > > >
> > > > > Anthem, Inc.
> > > > >
> > > > >
> > > > >
> > > > > John Schwartz,  Exec Advisor, Authentication Services
> > > > > 21555 Oxnard St., Woodland Hills, California 91367
> > > > > O: (818) 234-6763 |
> > > > > [hidden email]<mailto:[hidden email]>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > > > > attachments, is for the sole use of the intended recipient(s)
> > > > > and may contain confidential and privileged information or may
> > > > > otherwise be protected by law. Any unauthorized review, use,
> > > > > disclosure or distribution is prohibited. If you are not the
> > > > > intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> > > > > _______________________________________________
> > > > > krbdev mailing list             [hidden email]<mailto:[hidden email]>
> > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit
> > > > > .edu
> > > > > _m
> > > > > ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggAr
> > > > > rKwg
> > > > > 0X
> > > > > CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD
> > > > > 4rEp OY
> > > > > P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=
> > > > >
> > > >
> > > > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > > > attachments, is for the sole use of the intended recipient(s) and
> > > > may contain confidential and privileged information or may
> > > > otherwise be protected by law. Any unauthorized review, use,
> > > > disclosure or distribution is prohibited. If you are not the
> > > > intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> > > >
> > > > _______________________________________________
> > > > krbdev mailing list             [hidden email]<mailto:[hidden email]>
> > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.e
> > > > du_
> > > > mailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArr
> > > > Kwg
> > > > 0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6
> > > > WTU fFDqsZlB01E&s=mr341WiEfuqUhilglICkxLItjrwWOJAPVXIybydI5nQ&e=
> >
> >
> >
> > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > attachments, is for the sole use of the intended recipient(s) and may
> > contain confidential and privileged information or may otherwise be
> > protected by law. Any unauthorized review, use, disclosure or
> > distribution is prohibited. If you are not the intended recipient,
> > please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
> > _______________________________________________
> > krbdev mailing list             [hidden email]
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_m
> > ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0X
> > CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=gNcf3OFwcjm4FVBzSCEzqbUFRvnURKWJEK5
> > s0TYLem0&s=nezc5ifnQTUxfOqVxPPnp1K4GKxGuj9-wRsmeJ1OYmo&e=
>
> --
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or may otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_mailman_listinfo_krbdev&d=DwIGaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=MqKNhUH1wuNNIMKfKjQ86UAAbvD_43eMEQfUI7dMpgA&s=4rjTbl1FgQROsqBHC8AkIV_T9_0lBbts9pY0P0AZ4TU&e=
>
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information or may otherwise be protected by law. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you
> are not the intended recipient, please contact the sender by reply e-mail
> and destroy all copies of the original message and any attachment thereto.

--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc



_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev