Query regarding S4U2Self protocol extension

Vipul Mehta vipulmehta.1989 at gmail.com
Wed Aug 25 03:53:19 EDT 2021


Thanks.
This information will be provided to openjdk dev as they were asking about
MIT krb5 behavior -> https://bugs.openjdk.java.net/browse/JDK-8272162

On Wed, Aug 25, 2021 at 1:00 PM Isaac Boukris <iboukris at gmail.com> wrote:

> Hi Vipul,
>
> On Wed, Aug 25, 2021 at 6:12 AM Vipul Mehta <vipulmehta.1989 at gmail.com>
> wrote:
> >
> > I have one more query on this based on following statement in microsoft
> document:
> >
> > "If a non forwardable S4U2self-generated user's service ticket for a
> nonsensitive user is used, then the SFU client SHOULD<11> locate a
> DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 3.2.5.3) to send the request."
> >
> >
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
> >
> > Is this implemented in the MIT Kerberos client ?
>
> No it isn't, we just assume all the KDCs support RBCD.
>
> I think this has become less relevant now that RBCD requires the
> forwardable flag as well [1]. I guess this doc should be updated too.
>
> [1] https://lists.samba.org/archive/cifs-protocol/2021-July/003608.html
>


-- 
Regards,
Vipul


More information about the Kerberos mailing list