AS-REQ service tickets
Andrew Bartlett
abartlet at samba.org
Thu Aug 17 16:56:05 EDT 2023
On Wed, 2023-08-16 at 22:22 +0000, John Wray wrote:
> I believe it should be possible to obtain a service ticket to a
> server within the local realm directly using an AS-REQ from
> krb5_get_init_creds_keytab()/password() by specifying the target
> server name instead of the TGS in the in_tkt_service parameter.
> Has anyone noticed any change in tickets obtained this way from
> Microsoft Domain Controllers after a recent security update? None of
> the CVEs mentioned seem to relate to this KDC behavior.
Samba's tests have noticed a change in (at least) the PAC checksums for
(the server signature) in the AS-REQ to service case.
We plan to investigate soon and once the tests are updated, there will
be a good basis to suggest any change to MIT Kerberos.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the krbdev
mailing list