kdc: cross realm s4u2self handling

Isaac Boukris iboukris at gmail.com
Tue Oct 2 13:03:18 EDT 2018

Hi Greg,

On Fri, Sep 21, 2018 at 8:20 AM Isaac Boukris <iboukris at gmail.com> wrote:
> On Thu, Sep 20, 2018 at 4:03 AM, Greg Hudson <ghudson at mit.edu> wrote:
> > It occurs to me that a within-realm S4U2Self request (i.e. one using a local
> > TGT header ticket rather than a cross-TGT one) should still fail if it
> > results in a referral.  I will try to put together a test case for that.
> I see, though I'm not sure I understand how this would happen.
> At any case, would it suffice to condition the check on:
> is_local_principal(kdc_active_realm, header_ticket->server)
> Or perhaps on (are those two necessarily equivalent here btw?):
> !is_cross_tgs_principal(header_ticket->server)
> Note, in case of a local TGT header ticket, I think we could add:
> if (client == NULL)
> The client here being the principal to impersonate, which must be
> local in that case.
> This would help to return the same error as Windows in case when bad
> implementation (e.g. current heimdal), use a local TGT to request a
> s4u2self ticket from its own KDC on behalf of a foreign principal.
> I'll need to add that logic to my heimdal kdc changes as well, as
> currently it only fails there on PAC logon-name mismatch.

I've submitted PR #853 to follow up on this. I have tested it manually
in trust with Windows, and will try to add a test case in t_s4u for it
(without PAC, as I've suggested).
If there are other tests you have in mind, I can try to implement as well.

I hope this seems reasonable.

More information about the krbdev mailing list