KDB access to auth indicators (was Re: Proposed libkrb5 APIs for name attributes)

Alexander Bokovoy abokovoy at redhat.com
Thu Aug 8 02:01:49 EDT 2019

On ke, 07 elo 2019, Greg Hudson wrote:
>On 8/3/19 4:08 AM, Alexander Bokovoy wrote:
>> So, if there would be a way to pass a mutable list of authentication
>> indicators to fetch_kdb_authdata() (which would pass it to a KDB's
>> sign_authdata callback) and add it to the ticket reply afterwards, that
>> would solve our case.
>Please have a look at https://github.com/krb5/krb5/pull/965 and see if
>that will work.
Thanks. This looks good. I'm at Flock conference this week but I'll try
to change FreeIPA to see if it works for OTP tokens, i.e. if I would be
able to deny access to a specific Samba share if user doesn't possess
2FA asserted SID in the MS-PAC.

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

More information about the krbdev mailing list