RFR 8005819: Support cross-realm MSSFU
Martin Balao
mbalao at redhat.com
Thu Oct 31 20:43:12 UTC 2019
On 10/31/19 5:40 PM, Martin Balao wrote:
>
> On 10/29/19 12:35 PM, Osipov, Michael wrote:
>> * In handleS4U2ProxyReferral():
>>> + sname = new PrincipalName(PrincipalName.KRB_NT_PRINCIPAL,
>>> + sname.getNameStrings(), sname.getRealm());
>>
>> Why do you use here KRB_NT_PRINCIPAL? Is that the assumption that in AD
>> all services are bound to regular accounts compared to MIT Kerberos?
>>
>
> The backend PrincipalName is constructed from a string, so we really
> don't know the type and KRB_NT_UNKNOWN is used. I've not found any issue
> in my tests with KRB_NT_PRINCIPAL but it should look less arbitrary to
> keep KRB_NT_UNKNOWN. I'll do some more testing and change it if there
> are no issues.
>
Hmm.. perhaps we can assume SRV. Let me think about that.
More information about the security-dev
mailing list