[krbdev.mit.edu #7871] KDC should not fail requests due to forwardable/proxiable option
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Apr 2 14:55:41 EDT 2014
After talking with Simo yesterday, I'm no longer convinced that Active
Directory has the specific behavior of silently not setting the
forwardable flag. Simo's recollection was that (1) the conformance test
was just authenticating against a specific service principal, possibly
kadmin/admin, with the forwardable flag set, and (2) the conformance
test wasn't necessarily checking that it got a non-forwardable ticket,
just that it got a ticket at all. After hearing that, I'm no longer
sure whether Active Directory even has an equivalent of
DISALLOW_FORWARDABLE.
(We don't appear to set DISALLOW_FORWARDABLE on any principals when a
KDB is created, but maybe IPA does?)
So, ignore any language in the original ticket description about
behavior differences. The reasons to do this would be (1) it is an
arguably friendlier behavior which is allowed by RFC 4120 and is
consistent with how the KDC handles other request options such as
lifetimes, and (2) it gets rid of the validate_forwardable hack in the
KDC code.
This is not a high-priority issue since DISALLOW_FORWARDABLE is probably
not often used.
More information about the krb5-bugs
mailing list