kdc: cross realm s4u2self handling

Isaac Boukris iboukris at gmail.com
Thu Sep 20 22:50:45 EDT 2018

On Thu, Sep 20, 2018 at 4:03 AM, Greg Hudson <ghudson at mit.edu> wrote:
> It occurs to me that a within-realm S4U2Self request (i.e. one using a local
> TGT header ticket rather than a cross-TGT one) should still fail if it
> results in a referral.  I will try to put together a test case for that.

I see, though I'm not sure I understand how this would happen.

At any case, would it suffice to condition the check on:
is_local_principal(kdc_active_realm, header_ticket->server)
Or perhaps on (are those two necessarily equivalent here btw?):

Note, in case of a local TGT header ticket, I think we could add:
if (client == NULL)
The client here being the principal to impersonate, which must be
local in that case.

This would help to return the same error as Windows in case when bad
implementation (e.g. current heimdal), use a local TGT to request a
s4u2self ticket from its own KDC on behalf of a foreign principal.
I'll need to add that logic to my heimdal kdc changes as well, as
currently it only fails there on PAC logon-name mismatch.

>> Other than that, what do you think of the pac_verify/sign_ex() routines,
>> does it look ok?
> I looked over them briefly and don't have a problem with them.  If you
> submit a PR I will examine them more closely and cross-check against
> [MS-PAC] and [MS-SFU].

I'll submit a PR soon, thanks a lot for all the feedback.

More information about the krbdev mailing list