[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Alexander Bokovoy abokovoy at redhat.com
Thu Jan 23 11:38:54 EST 2020

On to, 23 tammi 2020, Alexander Bokovoy wrote:
>On to, 23 tammi 2020, Greg Hudson wrote:
>>On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>>>it would be great if we could make some progress here...
>>Does this need to be an application flag, or can it be in the krb5.conf
>>realm configuration?  Presumably people are currently working around
>>this by setting [capaths] on the server; a realm variable would simplify
>>this workaround by not requiring specific knowledge of the domain geometry.
>>I reviewed the thread, and it sounds like the current understanding is
>>that AD applies a transited check (of sorts) to cross-realm tickets, but
>>doesn't say so by setting the transit-policy-checked flag in the
>>ticket.  From the upstream point of view the server's realm
>>configuration is in a better position to know that the realm is an AD
>>realm than the server application; perhaps that is not true from Samba's
>>point of view, but I thought I would check.
>From FreeIPA perspective we known inside KDB driver that a particular
>realm belongs to one of trusted AD forests so we can provide this
>information to KDC dynamically. Perhaps Samba AD can do the same?
>If so, may be some KDB API extension can help?

I totally missed that this is a server side. Isaac explained the issue
to me, sorry for the suggestion that doesn't apply here. ;)

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

More information about the krbdev mailing list