On Thu, 2012-11-22 at 17:59 +0200, Alexander Bokovoy wrote: > Hi, > > attached patch attempts to bring us up to MS-KILE version 25.0 support > by > verifying that if number of additional SIDs in KERB_VALIDATION_INFO > structure is equal to one then this SID must be > > AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, S-1-18-1 > > This SID means the client's identity is asserted by an authentication > authority based on proof of possession of client credentials. > > During AD interop event at Microsoft earlier this year Simo found out > that this is the case for Windows Server 2012 and we need to relax our > check to allow this case. > > https://fedorahosted.org/freeipa/ticket/3231 > > I haven't tested it against Windows Server 2012 yet but sending the > patch out for early check and verification. > > NACK, there are 2 SID Windows 2012 may put there, not just S-1-2-18-1 (also -2 IIRC) and after I checked the docs I really think (As I suggested before) that we shouldn't expect a specific SID here, or in a next release a Windows server may break us again.
The spec doesn't say they will never add other SIDs like these with new meanings. What we need to do is to check that NONE of these SIDs is from our own domain, or is a builtin SID. I think the best option for now, is to filter out any SID in there that we do not explicitly recognize, but not fail if there is any we do not support, just skip. So if you find S-1-18-1/S-1-18-2 you may decide to leave them in the PAC, they are useful indications to services and they can decide whether to use them or not. We need to filter out any SID that is not a regular domain SID (like wellknown SIDs and Builtin Domain SIDs) and any SID that belong to our own domain. Beyond that we should retain other SIDs (for example this structure might list an HistrorySID for the incoming user and we should give a chance to applications to make use of that information. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel