Using authentication indicators

Andrew Bartlett abartlet at
Mon Apr 3 05:51:24 EDT 2023

On Mon, 2023-04-03 at 12:43 +0300, Alexander Bokovoy wrote:
> My original goal (not implemented yet) for this was to be able to inject
> PKINIT-specific authentication indicators to tickets received over
> cross-realm when PAC in the incoming cross-tgt contains indication that
> PKINIT was used by domain controller in a trusted AD domain. This would
> allow us to bridge smartcard use by AD and a lack of authentication
> indicators support by Microsoft -- FreeIPA clients would be able to see
> the proper indicator for stronger auth support in pam_sss_gss, for
> example.

I'm hoping we can somehow use AD claims for some authentication
indicator kind of tasks, perhaps with certificate-backed claims to
indicate use of PKINIT.

It is early days, but that seems to be the space we can put such an
indication in within the AD pattern.

Andrew Bartlett

Andrew Bartlett (he/him)
Samba Team Member (since 2001)
Samba Developer, Catalyst IT

More information about the krbdev mailing list