On Срд, 12 сак 2025, Ivan Korytov via sssd-devel wrote:
Wait, which proxy?
Not the transport proxy, but like identity proxy that allows another
service to act on your behalf.
It is mentioned in section 2.5 of RFC 4120.
https://datatracker.ietf.org/doc/html/rfc4120#section-2.5
And later in section 5.4.1 it says that with PROXY flag set, addresses
of the host (proxy) must be included in addresses field of the request,
not the client addresses.
https://datatracker.ietf.org/doc/html/rfc4120#section-5.4.1
This is pretty much not used nowadays, security-wise. There is no way to
control for a proxiable ticket to which service it could be issued other
than a ticket-granting ticket which cannot be issued with a proxiable
ticket that is not forwardable.
Most applications in Active Directory world rely on the forwardable
service tickets and S4U extensions instead. S4U2Proxy needs forwardable
service ticket to operate, while S4U2Self can be used to obtain a ticket
to the service in case we have no service ticket directly (protocol
transition). This is controlled by KDC; AD DCs have two ways of control
it.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
