Review ofhttp://k5wiki.kerberos.org/wiki/Projects/PAC_and_principal_APIs ending January 10
lukeh at padl.com
Fri Jan 2 17:01:21 EST 2009
According to the spec it's always unqualified except for the case of
cross-realm S4U2Self referrals. See [MS-KILE] Appendix A<9>.
Does it create a problem? Possibly, if two identically named accounts
in different domains can collude and swap their PACs to the same
service (and they have the same authtime). I would need to think about
it some more. Surely Microsoft have thought about this case.
On 03/01/2009, at 5:30 AM, Sam Hartman wrote:
>>>>>> "Luke" == Luke Howard <lukeh at padl.com> writes:
> Luke> On 01/01/2009, at 3:43 AM, Love Hörnquist Åstrand
> Luke> wrote:
>>> Sam, Luke,
>>> In heimdal I use KRB5_PRINCIPAL_UNPARSE_NO_REALM for the logon
>>> name, and not SHORT name.
> Luke> OK, fixed in r21656.
> Does this create a problem if you have cross-domain PACs?
www.padl.com | www.fghr.net
More information about the krbdev