[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Simo Sorce simo at redhat.com
Thu Aug 24 13:36:29 EDT 2017

On Thu, 2017-08-24 at 15:11 +0200, Stefan Metzmacher wrote:
> Hi Simo,
> > > I guess the proposed credential option is necessary, in that
> > > case.
> > > 
> > 
> > I think in this case ignoring the flag should probably be
> > conditional
> > to whether a PAC is present.
> We should enforce a PAC always to be present, as we don't support
> trusted domains with LSA_TRUST_TYPE_MIT anyway.

In samba, yes, but that option can be used in other clients that can
connect to multiple types of servers so in case they do not get a PAC
the flag should be respected.


Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

More information about the krbdev mailing list