Supporting custom requests for MS-NRPC
Alexander Bokovoy
abokovoy at redhat.com
Mon Sep 29 03:09:44 EDT 2025
On Пят, 26 вер 2025, Greg Hudson wrote:
>On 9/26/25 06:00, Alexander Bokovoy via krbdev wrote:
>>So I am thinking on how we can implement this in MIT Kerberos-based
>>Samba AD DC or FreeIPA domain controllers.
>
>Do these requests have to be serviced by the KDC process at all?
>Could it be a separate daemon with access to the KDB?
Since it needs access to the encrypted keys, that separate daemon would
effectively be a KDC in the sense that it will need to verify signatures
and issue a PAC content. It is a large duplicate of the feature set
provided by the KDC code.
I would consider having a separate daemon in such case a security issue
as well.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
More information about the krbdev
mailing list