Storing user-defined attributes in Kerberos5?

Wilper, Ross A rwilper at stanford.edu
Fri Sep 12 12:21:41 EDT 2014


(Sorry for the top-post, I'm a Windows guy..)

Microsoft uses the authdata field to carry SID data (uid and gids, kinda) in the PAC structure, with optional SAML-type claims added into the structure in Windows 2012. On the other hand, Active Directory deals with settings for the user (home dir, folder redirection, policies, etc.) using LDAP. I'll echo that what you are talking about is probably better handled with LDAP.

With TCP transport, there's no absolute limit to the size of a ticket, but the larger it gets, the more impractical it becomes. Microsoft has a hard limit at 64KB, though Windows 2000-2008R2 defaults to a limit of  12K and Windows 2012+ defaults to a 48K limit. 

-Ross

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Wendy Lin
Sent: Friday, September 12, 2014 8:52 AM
To: Greg Hudson
Cc: <kerberos at mit.edu>
Subject: Re: Storing user-defined attributes in Kerberos5?

On 27 April 2014 17:53, Greg Hudson <ghudson at mit.edu> wrote:
> On 04/25/2014 09:35 AM, Wendy Lin wrote:
>> Does Kerberos5 have the ability to store user-defined attributes
>> somehere and distribute them to the Kerberos5 clients?
>
> Short answer: not really, and that's more of a job for something like LDAP.
>
> As I don't know the details of your use case, I should note that some
> implementations of Kerberos do convey specific attributes about client
> principals to application servers (not clients) via the authdata field
> in the ticket.  The most well-known instance of this is the Microsoft
> PAC, described at http://msdn.microsoft.com/en-us/library/cc237917.aspx

So it would be possible to include home dir, uid, gid(s), gcos and
choice of unix shell in a ticket? How large can tickets get anyway?

Wendy
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list