Hi Martin,
I don't think your comments apply to what I'm proposing. See the
inline comments below.
>> We should enforce a PAC always to be present, as we don't support
>> trusted domains with LSA_TRUST_TYPE_MIT anyway.
"We" is Samba in here. Services which don't use the PAC at all
are not enforc
Hi Simo,
>> I guess the proposed credential option is necessary, in that case.
>>
>
> I think in this case ignoring the flag should probably be conditional
> to whether a PAC is present.
We should enforce a PAC always to be present, as we don't support
trusted domains with LSA_TRUST_TYPE_MIT any
On 08/23/2017 07:01 PM, Stefan Metzmacher wrote:
>> I think we should first consider whether it would be sufficient for MIT
>> krb5 to suppress the rd_req transited check if the
>> TRANSITED-POLICY-CHECKED flag is set in the ticket. MIT and Heimdal
>> KDCs both appear to perform the transited chec
On 08/22/2017 07:22 AM, Stefan Metzmacher wrote:
>> I'm not sure about "any KDC in the trust chain trusts the next hop."
>> RFC 4120 doesn't think about cross-realm relationships in terms of
>> trust. Simply having cross-realm keys with another realm doesn't
>> necessarily imply that the other rea
Am 21.08.2017 um 16:05 schrieb Greg Hudson:
> On 08/18/2017 08:35 AM, Stefan Metzmacher wrote:
>> While thinking about this I can't see any value in checking the
>> transited list of the ticket. As that list is always under the
>> control of the KDC that issued the ticket. And the service
>> trusts
On 08/18/2017 08:35 AM, Stefan Metzmacher wrote:
> While thinking about this I can't see any value in checking the
> transited list of the ticket. As that list is always under the
> control of the KDC that issued the ticket. And the service
> trusts it's own KDC anyway, as well as any KDC in the tr