RFR 8215032: Support Kerberos cross-realm referrals (RFC 6806)
Weijun Wang
weijun.wang at oracle.com
Fri Jun 7 01:56:31 UTC 2019
> On Jun 6, 2019, at 11:38 PM, Martin Balao <mbalao at redhat.com> wrote:
>
> Hi Max,
>
> On 6/5/19 10:20 PM, Weijun Wang wrote:
>> For the server referral part, I think we can clone some existing cross-realm authentication test and remove the [domain_realm] part in the client's krb5.conf and see if the authentication still succeeds.
>
> I'm not sure why you would remove the dns - realm information from
> there. Perhaps you meant the static paths. But unless the KDC has
> information to refer to a different KDC, this should not work.
In my referrals experiment, the following sections is in krb5.conf of the KDC but not in that of the client.
[domain_realm]
.k1x = K1
.k2x = K2
.k3x = K3
[capaths]
K1 = {
K3 = K2
}
>
> For the client part, do you have a test procedure?
>>
>
> My real testing environment is Windows 2016 based and includes 3
> servers, which I've configured through a series of PowerShell commands.
> My understanding is that you prefer to use MIT's krb5 server so this
> won't be useful.
I don't prefer any. Any is useful. Both will be great.
>
> I'm not sure how you did configure your MIT's krb5 server but my
> understanding is that something as described/implemented by the
> "cross_realms" function [1] [2] is needed. Referral information is added
> in the form of "adding principals" [3].
I'll take a look.
Thanks,
Max
>
> Thanks,
> Martin.-
>
> --
> [1] - https://github.com/krb5/krb5/blob/master/src/util/k5test.py#L177
> [2] - https://github.com/krb5/krb5/blob/master/src/util/k5test.py#L1144
> [3] - https://github.com/krb5/krb5/blob/master/src/util/k5test.py#L1200
More information about the security-dev
mailing list