diff options
| author | Greg Hudson <ghudson@mit.edu> | 2022-01-07 22:41:30 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2022-01-12 13:28:07 -0500 |
| commit | a441fbe329ebbd7775eb5d4ccc4a05eef370f08b (patch) | |
| tree | ed56952614e5c72981d48d75398d33b2a7fffb05 /doc | |
| parent | c85894cfb784257a6acb4d77d8c75137d2508f5e (diff) | |
| download | krb5-a441fbe329ebbd7775eb5d4ccc4a05eef370f08b.tar.gz | |
Replace AD-SIGNEDPATH with minimal PACs
Remove all of the AD-SIGNEDPATH code. Instead, issue a signed minimal
PAC in all tickets and require a valid PAC to be present in all
tickets presented for S4U operations. Remove the get_authdata_info()
and sign_authdata() DAL methods, and add an issue_pac() method to
allow the KDB to add or copy buffers to the PAC. Add a disable_pac
realm flag.
Microsoft revised the S4U2Proxy rules for forwardable tickets. All
S4U2Proxy operations require forwardable evidence tickets, but
S4U2Self should issue a forwardable ticket if the requesting service
has no ok-to-auth-as-delegate bit but also no constrained delegation
privileges for traditional S4U2Proxy. Implement these rules,
extending the check_allowed_to_delegate() DAL method so that the KDC
can ask if a principal has any delegation privileges.
Combine the KRB5_KDB_FLAG_ISSUE_PAC and
KRB5_FLAG_CLIENT_REFERRALS_ONLY flags into KRB5_KDB_FLAG_CLIENT.
Rename the KRB5_KDB_FLAG_CANONICALIZE flag to
KRB5_KDB_FLAG_REFERRAL_OK, and only pass it to get_principal() for
lookup operations that can use a realm referral.
For consistency with Active Directory, honor the no-auth-data-required
server principal flag for S4U2Proxy but not for S4U2Self. Previously
we did the reverse.
ticket: 9044 (new)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/admin/conf_files/kdc_conf.rst | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index 1dc958d62..74a0a2ace 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -208,6 +208,12 @@ The following tags may be specified in a [realms] subsection: if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. +**disable_pac** + (Boolean value.) If true, the KDC will not issue PACs for this + realm, and S4U2Self and S4U2Proxy operations will be disabled. + The default is false, which will permit the KDC to issue PACs. + New in release 1.20. + **encrypted_challenge_indicator** (String.) Specifies the authentication indicator value that the KDC asserts into tickets obtained using FAST encrypted challenge |