Supporting custom requests for MS-NRPC

Alexander Bokovoy abokovoy at redhat.com
Tue Sep 30 04:45:06 EDT 2025 

On Пан, 29 вер 2025, Greg Hudson wrote:
>On 9/29/25 03:09, Alexander Bokovoy wrote:
>>Since it needs access to the encrypted keys, that separate daemon would
>>effectively be a KDC in the sense that it will need to verify signatures
>>and issue a PAC content. It is a large duplicate of the feature set
>>provided by the KDC code.
>
>I don't understand how that squares with the proposed option 2:
>
>  Option 2. Implement a custom pre-authentication plugin that hooks into
>  KDC's loop (via vt->loop()'s verto_ctx passed there) and handles custom
>  requests over the custom (e.g. UNIX domain socket) interface. All it
>  needs is access to the KDC's krb5 context to be able to call for KDB
>  methods and perform PAC validation.
>
>In this design option, how would the custom code leverage the KDC code 
>for signature verification and PAC issuance?

This custom plugin would be able to get access to the krb5_context and
thus get access to the pre-configured KDB driver and krb5_db_/dbe_* functions.

Though you are right that this can technically be done by an app that
links to libkdb5 itself. So we can do it without creating a new
interface.

>
>>I would consider having a separate daemon in such case a security issue
>>as well.
>
>Is it a security issue that kadmind is a separate daemon from krb5kdc?

It is considered part of the KDC. However, both Samba AD and FreeIPA do
not really allow kadmind access. FreeIPA only uses kadmin.local with
LDAPI (LDAP over unix domain socket) and autobind authentication of the
user that is connecting (root is mapped to cn=Directory Manager right
now). Samba simply overrides principal modification in KDB driver to
refuse any modifications from the KDC side. In both cases default ACLs
for kadmind access prevent remote users from being accepted. This is
because LDAP database access in KDB driver is done using a DB connection
context with privileges higher than any principal that is connected to
kadmind.




-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

More information about the krbdev mailing list