[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Alexander Bokovoy abokovoy at redhat.com
Thu Jan 23 11:28:32 EST 2020

On to, 23 tammi 2020, Greg Hudson wrote:
>On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>> it would be great if we could make some progress here...
>Does this need to be an application flag, or can it be in the krb5.conf
>realm configuration?  Presumably people are currently working around
>this by setting [capaths] on the server; a realm variable would simplify
>this workaround by not requiring specific knowledge of the domain geometry.
>I reviewed the thread, and it sounds like the current understanding is
>that AD applies a transited check (of sorts) to cross-realm tickets, but
> doesn't say so by setting the transit-policy-checked flag in the
>ticket.  From the upstream point of view the server's realm
>configuration is in a better position to know that the realm is an AD
>realm than the server application; perhaps that is not true from Samba's
>point of view, but I thought I would check.

 From FreeIPA perspective we known inside KDB driver that a particular
realm belongs to one of trusted AD forests so we can provide this
information to KDC dynamically. Perhaps Samba AD can do the same?

If so, may be some KDB API extension can help?

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

More information about the krbdev mailing list