RFR 8005819: Support cross-realm MSSFU
Martin Balao
mbalao at redhat.com
Mon Nov 4 18:14:49 UTC 2019
Hi Michael,
On 11/3/19 4:54 PM, Michael Osipov wrote:
>
> Yes, sure. The spot just made we wonder. My understanding for S4U2self
> (my knowledge is limited to the AD KDC, may be different in MIT
> Kerberos). You may or may not sign onto a service with Kerberos, the
> service (HTTP/host at REALM) knows your UPN (client1 at REALM). Now the
> service wants to connect to a PostgreSQL DB with your credentials by
> using S4U2self and then S4U2proxy. Since the SPN HTTP/host at REALM is
> bound to either a machine account (server1$@REALM) or service account
> (service at REALM) you have to impersonate with that account and not with
> the SPN, then as soon as you have the TGT, you can request the sevice
> ticket for the target service.
> The confusion was 'sname' combined with 'PrincipalName.KRB_NT_PRINCIPAL'.
>
Thanks for your clarification. My understanding is that you are
referring to line 546 of webrev.01 [1]. 'sname' is the backend service
name. As you well pointed out, it won't be of KRB_NT_PRINCIPAL type. In
addition to that, there is no need to create a new sname PrincipalName
there because we can use the instance received by parameter and it is
not mutable. This has been addressed in webrev.02 [2].
Thanks,
Martin.-
--
[1] -
http://cr.openjdk.java.net/~mbalao/webrevs/8005819/8005819.webrev.01/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java.sdiff.html
[2] -
http://cr.openjdk.java.net/~mbalao/webrevs/8005819/8005819.webrev.02/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java.sdiff.html
More information about the security-dev
mailing list