Using authentication indicators
Andrew Bartlett
abartlet at samba.org
Mon Apr 3 05:51:24 EDT 2023
On Mon, 2023-04-03 at 12:43 +0300, Alexander Bokovoy wrote:
> My original goal (not implemented yet) for this was to be able to inject
> PKINIT-specific authentication indicators to tickets received over
> cross-realm when PAC in the incoming cross-tgt contains indication that
> PKINIT was used by domain controller in a trusted AD domain. This would
> allow us to bridge smartcard use by AD and a lack of authentication
> indicators support by Microsoft -- FreeIPA clients would be able to see
> the proper indicator for stronger auth support in pam_sss_gss, for
> example.
I'm hoping we can somehow use AD claims for some authentication
indicator kind of tasks, perhaps with certificate-backed claims to
indicate use of PKINIT.
It is early days, but that seems to be the space we can put such an
indication in within the AD pattern.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the krbdev
mailing list