[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Stefan Metzmacher metze at samba.org
Fri Jan 24 13:49:37 EST 2020

Hi Greg,

> On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>> it would be great if we could make some progress here...
> Does this need to be an application flag, or can it be in the krb5.conf
> realm configuration?  Presumably people are currently working around
> this by setting [capaths] on the server; a realm variable would simplify
> this workaround by not requiring specific knowledge of the domain geometry.
> I reviewed the thread, and it sounds like the current understanding is
> that AD applies a transited check (of sorts) to cross-realm tickets, but
>  doesn't say so by setting the transit-policy-checked flag in the
> ticket. 


> From the upstream point of view the server's realm
> configuration is in a better position to know that the realm is an AD
> realm than the server application; perhaps that is not true from Samba's
> point of view, but I thought I would check.

In Samba we know that we're joined to an AD domain
and then we want to force disabling the transited check
for gss_accept_sec_context().

For Samba as AD DC we want also want to disable this for
krb5_rd_req_decoded in the KDC too.

A krb5.conf option would also be good in order to support
non-samba services in AD-Domains. But the c library should also
support changing it at runtime.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20200124/eca079fa/attachment-0001.bin

More information about the krbdev mailing list