Date: | Wed, 4 Dec 2013 17:17:27 +0100 |
From: | Sumit Bose <sbose@redhat.com> |
To: | krb5-bugs@MIT.EDU |
Subject: | PoC to fix cross realm S4U2Self |
Hi,
with the attached patch S4U2Self works for me even on cross-realm
environments, I tested this even with AD forest trust. I think this
issue is reported in ticket #7022 as well.
The idea is to convert in krb5_get_self_cred_from_kdc() the server part
of the s4u creds to an enterprise principal before sending it to a
different realm and convert it back to a plain principal when coming
back to the local realm. I'm not sure if this is the right way to fix
it. The patch needs some improvements (coding style, freeing memory,
...) and I'd happy to send a better version but I would like to get
some feedback if the general solution seems to be correct or if this
issue should be solved differently?
Thanks for you help.
bye,
Sumit
with the attached patch S4U2Self works for me even on cross-realm
environments, I tested this even with AD forest trust. I think this
issue is reported in ticket #7022 as well.
The idea is to convert in krb5_get_self_cred_from_kdc() the server part
of the s4u creds to an enterprise principal before sending it to a
different realm and convert it back to a plain principal when coming
back to the local realm. I'm not sure if this is the right way to fix
it. The patch needs some improvements (coding style, freeing memory,
...) and I'd happy to send a better version but I would like to get
some feedback if the general solution seems to be correct or if this
issue should be solved differently?
Thanks for you help.
bye,
Sumit
Message body is not shown because sender requested not to inline it.