On Fri, Feb 02, 2024 at 12:11:58AM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On Чцв, 01 лют 2024, Steve Berg via FreeIPA-users wrote: > > Is there anyway to just delete all these SID requirements? My ipa > > domain doesn't have a trust to anything windows and there's no plan to > > ever set that up. > > No. > > S4U protocol extensions for Kerberos are requiring PAC buffers presence > as per the MS-SFU spec. The changes came in in 2021 as a part of the > fixes to 'dollar sign attack'. You can get a partial view of that with > https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack or > several talks we gave over past few years at various conferences. Most > notable: > - Andrew Bartlett, "sambaXP 2022: The Inside Story on the Dollar Ticket > Attack" > https://www.youtube.com/watch?v=1BnraIAcybg > > - Andreas Schneider, Alexander Bokovoy, "sambaXP 2023: Samba AD / MIT > Kerberos: path out of experimental" > https://www.youtube.com/watch?v=0_cdYuIYw0o
Those attacks are against MS Windows (and Samba?) I would say they're not relevant to majority of FreeIPA deployments, which have nothing to do with Windows. -- Tomasz Torcz “Funeral in the morning, IDE hacking [email protected] in the afternoon and evening.” - Alan Cox -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
