RFR 8005819: Support cross-realm MSSFU

Martin Balao mbalao at redhat.com
Thu Dec 12 14:46:38 UTC 2019

On 12/11/19 10:07 PM, Weijun Wang wrote:
> This looks good to me.


> There is one confusion. I understand that handleS4U2ProxyReferral needs an in/out creds argument, but for serviceCredsReferrals the additionalTickets argument should only be in, right? However in this method you've modified the content of it after calling handleS4U2ProxyReferral. This is not fatal because it won't have any effect higher than acquireS4U2proxyCreds, but it does introduce an in/out argument to the serviceCreds/serviceCredsReferrals methods.
> Anyway, even if this is worth amending we can fix it after RDP1 with a different issue.

Good observation. I've had a look and you are probably right. The in/out
parameter is spread across all the code. Looks to me that, at some
point, the idea was that there could be more than one additional ticket
(and it was not an in/out parameter really). What makes me think so is
the iteration here [1]. Given that this is not particularly related to
8005819, I agree that it would be better to analyze it in the context of
a new fix. Before getting rid of the in/out parameter, I suggest to
decide whether or not there could be more than one ticket.

[1] -

More information about the security-dev mailing list