Split IAKERB for local KDCs cross-realm setup?
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 28 15:40:59 EDT 2025
On Пят, 28 сак 2025, Nico Williams wrote:
>On Fri, Mar 28, 2025 at 08:55:43PM +0200, Alexander Bokovoy via krbdev wrote:
>> [... stuff about KDCs accessed over Unix domain sockets ...]
>
>Sure, if you know this (local configuration) or can trivially test for
>this then that's cheap and timeout-free. (Is the AF_LOCAL server a
>proxy? I guess it would be.)
>
>Presumably the initiator can also know about its start TGT's realm's
>KDC's reachability if it acquired it itself.
>
>"Prestashing" is a technique where tickets are orchestrated into place
>where they are needed, and in those cases the initiator needs a clue as
>to whether the start realm's KDCs are reachable. But if the initiator's
>start TGT came from an AS exchange done locally w/o IAKERB then the
>initiator can know this (e.g., as an attribute in the ccache file) and
>just try contacting that realm's KDCs directly.
>
>Don't forget that we could use ccconfig entries for some of these
>things, so even in the prestash case clues can be given to the
>initiator. And the ccache and its config entries can be used to track
>failures to reach KDCs so that at least retries can go differently even
>if that yields a sucky UX.
Yes, there is already a precedent with the GSSAPI krb5 mech acceptor
which stores the "start_realm" of the delegated TGT in case it is not
the same as the server's realm.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
More information about the krbdev
mailing list