Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Alexander Bokovoy
On to, 23 tammi 2020, Greg Hudson wrote:

>On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>> it would be great if we could make some progress here...
>
>Does this need to be an application flag, or can it be in the krb5.conf
>realm configuration?  Presumably people are currently working around
>this by setting [capaths] on the server; a realm variable would simplify
>this workaround by not requiring specific knowledge of the domain geometry.
>
>I reviewed the thread, and it sounds like the current understanding is
>that AD applies a transited check (of sorts) to cross-realm tickets, but
> doesn't say so by setting the transit-policy-checked flag in the
>ticket.  From the upstream point of view the server's realm
>configuration is in a better position to know that the realm is an AD
>realm than the server application; perhaps that is not true from Samba's
>point of view, but I thought I would check.

 From FreeIPA perspective we known inside KDB driver that a particular
realm belongs to one of trusted AD forests so we can provide this
information to KDC dynamically. Perhaps Samba AD can do the same?

If so, may be some KDB API extension can help?

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Alexander Bokovoy
On to, 23 tammi 2020, Alexander Bokovoy wrote:

>On to, 23 tammi 2020, Greg Hudson wrote:
>>On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>>>it would be great if we could make some progress here...
>>
>>Does this need to be an application flag, or can it be in the krb5.conf
>>realm configuration?  Presumably people are currently working around
>>this by setting [capaths] on the server; a realm variable would simplify
>>this workaround by not requiring specific knowledge of the domain geometry.
>>
>>I reviewed the thread, and it sounds like the current understanding is
>>that AD applies a transited check (of sorts) to cross-realm tickets, but
>>doesn't say so by setting the transit-policy-checked flag in the
>>ticket.  From the upstream point of view the server's realm
>>configuration is in a better position to know that the realm is an AD
>>realm than the server application; perhaps that is not true from Samba's
>>point of view, but I thought I would check.
>
>From FreeIPA perspective we known inside KDB driver that a particular
>realm belongs to one of trusted AD forests so we can provide this
>information to KDC dynamically. Perhaps Samba AD can do the same?
>
>If so, may be some KDB API extension can help?

I totally missed that this is a server side. Isaac explained the issue
to me, sorry for the suggestion that doesn't apply here. ;)

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev