> -----Original Message-----
> The Kerberos protocol does not support cross-realm AS requests. The
> definition of KDC-REQ-BODY in RFC 4120 section 5.4.1 contains only one realm
> (at the ASN.1 level, a PrincipalName does not include the realm) which is
> used for both the client and server principal. So the requests in the second
> and third example is actually for a TGT in the EXTERNAL.ORG realm
> (presumably krbtgt/example....@external.org), which cannot be
> served from the EXAMPLE.COM KDC.
I think it's a bit harsh to claim cross-realm AS is not supported by the
protocol. The native AS_REQ may not be able to specify different realms for the
tgt and the client, but a PKINIT exchange has a certified client principal
name/realm combination. It certainly seems to me that if the KDC has been
configured to trust the CA binding principal name/realm to the public key, then
the KDC should be justified in populating the cname/crealm fields in the reply
using the certified information. Certainly, I see nothing in 4120 or 4556 which
forbids this. I actually took the following to mean it was required in the
absence of a configured "binding map" (p 15. RFC 4556):
Otherwise, if the client's X.509 certificate contains a Subject
Alternative Name (SAN) extension carrying a KRB5PrincipalName
(defined below) in the otherName field of the type GeneralName
[RFC3280], it binds the client's X.509 certificate to that name.
However, accepting that it does not do it now, I retooled my experiment
somewhat. I made a principal:
test/external....@example.com
in the example.com kdc (the only one I have). Then I signed the clientkey with
env CLIENT=test/EXTERNAL.ORG REALM=EXAMPLE.COM openssl x509 ...
And now "kinit test/EXTERNAL.ORG" results in a client name mismatch. (Also
defined on p 15 of RFC 4556). The trace indicates that kinit is correctly
seeking credentials for "test/external....@example.com". I cannot get openssl
to display the extension fields. I have not yet discovered a way for tshark to
display the pkinit preauth. However, I triplechecked the signing command in my
history against this principal. As far as I can tell, the principal in the KDC
database, on the kinit command line, and in the certificate I'm using for
PKINIT are all the same, and I'm still getting a client name mismatch. Does
openssl not like slashes in environment variable expansions?
Thanks again for your help.
Bryce
This electronic message contains information generated by the USDA solely for
the intended recipients. Any unauthorized interception of this message or the
use or disclosure of the information it contains may violate the law and
subject the violator to civil or criminal penalties. If you believe you have
received this message in error, please notify the sender and delete the email
immediately.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
