Implementing RBCD

Greg Hudson ghudson at
Thu Mar 21 18:48:46 EDT 2019

On 3/21/19 6:20 PM, Isaac Boukris wrote:
> [notes: both these requirements are challenging:
> The first would involve full decoding of the PAC, while I think it
> could be a good idea to have it in krb5 library (for other purposes as
> well), I only have a vague idea of what NDR decoding actually means,
> and as far as I remember Greg was not fond of this idea in the past.

I could be okay with this if NDR isn't too hard to decode.

> The second requirement involves an RPC call (as per MS-KILE) but here
> as well I think we could skip it and just try other KDCs in case of
> error.]

I don't think our current sendto_kdc code makes it easy to cycle through
the KDCs on error.  I'd be okay with saying that our side of rbkcd
doesn't work if you have pre-2012 DCs.

> My planning is currently as follows:
> - implement the client code properly, I think it might be a good idea
> to move some logic from get_creds.c to s4u_creds.c to simplify it
> (especially the referral-chasing), but I'm still unclear.
> - add basic KDC support, leaving authdata handling to KDB plugin (but
> we might need to provide it with more info).
> - add tests, possibly using own authdata implementation (similar to
> what I experiment with in PR 894).
> - manually test windows clients against MIT KDC by plugging it with (a
> patched) SambaAD (I'd also try to test trust with Windows KDC).

This seems reasonable.

More information about the krbdev mailing list