On Аўт, 11 сак 2025, Ivan Korytov via sssd-devel wrote:
Sumit and Alexander, thank you for replies!
Why do you need to add some NetBIOS information?
There is a proprietary audit software for Windows DCs that hijacks
information about user login/logoff and to register that user logged in
it requires NetBIOS workstation name to be present in the ticket.
winbind does it and it works fine with this sofware (as it mimicks
Windows behavior).
Also, as Alexander mentioned, Samba DCs use it too, so looks like it is
a reasonable addition to sssd.
And I thought that if I'm implementing NetBIOS names, then not adding
support for IP addresses would be strange (same structure used for
both), as it can be useful for restricting ticket usage on network.
But if you need lots of extra processing than it might be easier to
call
`getifaddrs()` from krb5_child and do the processing directly.
There isn't much processing, it filters out loopback/link-local
addresses and two protocol versions. I will try to reuse
check_ipv4_addr/check_ipv6_addr as they do what I implemented myself
and can be configured by flags.
I've checked again sss_iface_addr_list_get and it is constrained by
fixed filter (check_for_dns) and needs a network interface name. It can
be reworked to be universal and maybe accept a filtering function (like
check_for_dns) in its arguments.
I don't think it is viable, at least for now, to make an universal
function for getting addresses. Only dyndns is using this function now.
Afaik nobody asked about proxy ticket until now
That's good, because addresses list changes its function as it becomes
proxy (but maybe that happens on KDC when it sends it to service, not
on client side). I've yet to find someone/something that uses them.
Wait, which proxy? We have three different proxy mechanisms for Kerberos:
- MS-KKDCP, aka KDCProxy, which is what FreeIPA and MSFT Active
Directory ships by default. It is used a lot by Active Directory
users, especially together with RDP servers. FreeIPA version is used,
for example, by Fedora, CentOS, GNOME and other communities as they
put their KDCs behind the firewall. KKDCP protocol requires HTTPS
end-point to be a proxy.
- HTTP endpoint (not HTTPS!) used by Heimdal, mostly consumed by macOS
clients. Similar to MS-KKDCP, and no TLS support. macOS
implementation had a bug, hopefully fixed now.
- IAKerb proxy, over a GSSAPI-enabled application. It is supported by
Windows 11 and Windows Server 2025, and MIT Kerberos.
In all these cases the original application creates the request,
attaches it to the proxy request and sends it over. The proxy is pretty
much forwards the messages and doesn't update their content.
Not sure if the answers your questions but in `make_chpw_options()`
in the MIT Kerberos source code the
KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST flag is unset.
It makes a copy of options (k5_gic_opt_shallow_copy), so it shouldn't
rewrite options that were passed initially. I couldn't find an exact
place where addresses from options become an addresses in krb5_creds,
but it seems that somewhere it is not copied and uses the same pointer.
And then it deallocated by krb5_free_cred_contents inside
krb5_get_init_creds_password. So I think that because
k5_gic_opt_shallow_copy reuses address_list pointer it is also caried
somewhere to credentials. I'll check that theory and report back.
Removing only a flag isn't a problem, especially in a copy, but
addresses list needs to be created again in initial options.
See krb5_copy_addresses() use in MIT krb5 code.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
