On Thu, 2012-11-22 at 17:59 +0200, Alexander Bokovoy wrote:
> Hi,
> attached patch attempts to bring us up to MS-KILE version 25.0 support
> by
> verifying that if number of additional SIDs in KERB_VALIDATION_INFO
> structure is equal to one then this SID must be
> This SID means the client's identity is asserted by an authentication
> authority based on proof of possession of client credentials.
> During AD interop event at Microsoft earlier this year Simo found out
> that this is the case for Windows Server 2012 and we need to relax our
> check to allow this case.
> https://fedorahosted.org/freeipa/ticket/3231
> I haven't tested it against Windows Server 2012 yet but sending the
> patch out for early check and verification.
there are 2 SID Windows 2012 may put there, not just S-1-2-18-1 (also -2
IIRC) and after I checked the docs I really think (As I suggested
before) that we shouldn't expect a specific SID here, or in a next
release a Windows server may break us again.

The spec doesn't say they will never add other SIDs like these with new
What we need to do is to check that NONE of these SIDs is from our own
domain, or is a builtin SID.

I think the best option for now, is to filter out any SID in there that
we do not explicitly recognize, but not fail if there is any we do not
support, just skip.

So if you find S-1-18-1/S-1-18-2 you may decide to leave them in the
PAC, they are useful indications to services and they can decide whether
to use them or not. We need to filter out any SID that is not a regular
domain SID (like wellknown SIDs and Builtin Domain SIDs) and any SID
that belong to our own domain. Beyond that we should retain other SIDs
(for example this structure might list an HistrorySID for the incoming
user and we should give a chance to applications to make use of that


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to