RFR 8005819: Support cross-realm MSSFU

Martin Balao mbalao at redhat.com
Thu Oct 31 20:40:32 UTC 2019

Hi Michael,

Thanks for having a look at this proposal.

On 10/29/19 12:35 PM, Osipov, Michael wrote:
> * In handleS4U2ProxyReferral():
>> +        sname = new PrincipalName(PrincipalName.KRB_NT_PRINCIPAL,
>> +                sname.getNameStrings(), sname.getRealm());
> Why do you use here KRB_NT_PRINCIPAL? Is that the assumption that in AD
> all services are bound to regular accounts compared to MIT Kerberos?

The backend PrincipalName is constructed from a string, so we really
don't know the type and KRB_NT_UNKNOWN is used. I've not found any issue
in my tests with KRB_NT_PRINCIPAL but it should look less arbitrary to
keep KRB_NT_UNKNOWN. I'll do some more testing and change it if there
are no issues.

> client1 at REALM => HTTP/host at REALM where HTTP/host at REALM is bound to
> srv$@REALM => postgres/host2 at REALM and the transition is done with
> srv$@REALM?

I'm not sure of what you mean here. Can you please elaborate a bit more?

Kind regards,

More information about the security-dev mailing list