Hi again, On Sat, Jul 14, 2018 at 5:45 AM, Isaac Boukris <ibouk...@gmail.com> wrote: > A couple of follow-ups items I am thinking on: > - Try to see if it can be tested by heimdal. > > - Do we need to fix get_cred_kdc_capath() too or just fail it early > (we currently issue a failed sfu request before falling back to > referrals).
Now that I've looked into heimdal's impersonate tests, I realize the current KDC behavior is to issue a s4u2self ticket to any user from any realm, as long as the service ask it for it self, so it always succeeds (unless hdb plugin implements hdb_check_s4u2self() as in samba). In fact, even in its own domain the KDC doesn't perform any check to see if the user exist in db (unless it needs to add PAC), which doesn't sound very useful to me as it doesn't provide the service with much info. So I think it would be better to try get this tested within samba instead. As regarding get_cred_kdc_capath(), I think it cannot be fixed. IIUC it tries to get the referral-tgts explicitly by requesting them from the KDCs along the path (and without canonicalize flag). However, this doesn't seem to work for s4u2self, and if I ask tgt-referral with 'pa-for-user' I just get bad-match error (also I couldn't find any such flow in doc). Given the above, I'm in favor to fail get_cred_kdc_capath() if the service and impersonated user are from different realms and rely on referrals. This means the client will try to locate user's realm to request s4u2self ticket (and that realm has to exist). Thoughts? P.S. this is now PR #389
