We are fine with being alone, but seeking knowledge and try to understand what we are doing as deeply as possible, is a high priority.
I knew about a problem with digitally unsigned PACs, recently addressed by Microsoft and the Samba team. And I do see the problems pointed out in the slides, and of course that is a problem that breaks Active Directory at least, since the kerberos-principals and the actual username are separate entities. In a Unix-only environment without user-access to renaming accounts, and with a complete control over the principal and username, space (for both hosts, users and services), and with no trust to external parties, I still don't see how our setup would be vulnerable. I appreciate your reservations though. And just to be clear: The LAB, SAD and MAD, subdomains, are meant as technological testing and development grounds, for system tests, application tests and a playground for making deep-dives into authentication-systems in general. One last ting: Any other information about the PAD-approach contra MS-PAC. If I enable this in my IPA-deployment, is it actually used and have consequences? Through a half-hearted google search, I was only able to find these two sources: https://www.freeipa.org/page/V3/Read_and_use_per_service_pac_type https://datatracker.ietf.org/doc/html/draft-ietf-krb-wg-pad-01 Is there any internal freeIPA-development discussion, that one can read where one is discussing the implementation/use of PADs ? Does it make any difference setting: ipa config-mod --pac-type=nfs:NONE --pac-type=PAD contra: ipa config-mod --pac-type= (where as I understand it everything defaults to NONE-PAC) _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
