AD-SIGNEDPATH and cross-realm

Greg Hudson ghudson at MIT.EDU
Thu Feb 4 22:47:51 EST 2010

I committed the two changes I mentioned (not including AD-SIGNEDPATH
when returning a cross-realm TGT and not failing out on a bad
AD-SIGNEDPATH signature).

Based on what Love said, it's possible that we also need to add a check
to disregard AD-SIGNEDPATH, and therefore deny S4U2Proxy requests, if
the delegating service presents a cross-realm TGT in the AP-REQ part of
the TGS.  I need to better understand the trust implications of honoring
AD-SIGNEDPATH in that case.  I couldn't find a similar check in Heimdal
but I may have just missed it.

More information about the krbdev mailing list