RFR 8005819: Support cross-realm MSSFU
Martin Balao
mbalao at redhat.com
Thu Oct 31 20:40:32 UTC 2019
Hi Michael,
Thanks for having a look at this proposal.
On 10/29/19 12:35 PM, Osipov, Michael wrote:
> * In handleS4U2ProxyReferral():
>> + sname = new PrincipalName(PrincipalName.KRB_NT_PRINCIPAL,
>> + sname.getNameStrings(), sname.getRealm());
>
> Why do you use here KRB_NT_PRINCIPAL? Is that the assumption that in AD
> all services are bound to regular accounts compared to MIT Kerberos?
>
The backend PrincipalName is constructed from a string, so we really
don't know the type and KRB_NT_UNKNOWN is used. I've not found any issue
in my tests with KRB_NT_PRINCIPAL but it should look less arbitrary to
keep KRB_NT_UNKNOWN. I'll do some more testing and change it if there
are no issues.
> client1 at REALM => HTTP/host at REALM where HTTP/host at REALM is bound to
> srv$@REALM => postgres/host2 at REALM and the transition is done with
> srv$@REALM?
>
I'm not sure of what you mean here. Can you please elaborate a bit more?
Kind regards,
Martin.-
More information about the security-dev
mailing list