Message-ID: <1f66ea95e42da923c21c55ab2b535328aa7fc4d5.camel@aegee.org>
Subject: MIT Kerberos with S4U2Self support | why i want a bugzilla account
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?=
=?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?=
<dilyan.palauzov@aegee.org>
To: bugzilla-maintenance@samba.org
Date: Mon, 10 Jun 2019 12:33:00 +0000
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.33.3
MIME-Version: 1.0
X-Evolution-Identity: 4293d395f0294e74084caa0d1f3645b812299a48
X-Evolution-Fcc: folder://464c881b958d691952a17fdfff5d54540651678e/Sent
X-Evolution-Transport: c112dbb2739b2bed1ab8a2c7f5f9228924b7e9a4
X-Evolution-Source:
Content-Transfer-Encoding: quoted-printable
Hello,
I am mailing you, since the procedure for creating new BZ accounts, describ=
ed at=20
https://bugzilla.samba.org/createaccount-save.html suggests so.
Please update
https://wiki.samba.org/index.php/Roadmap#Active_Directory_Ser=ver to state, to whick extend S4U2Self,
S4U2Proxy, PKINIT=E2=80=A6 are (not) supported.
The release notes for MIT Kerberos 1.17 at
https://web.mit.edu/kerberos/krb=5-1.17/ state:
Protocol evolution:
=E2=80=A2 The KDC now supports cross-realm S4U2Self requests when used with=
a third-party KDB module such as Samba's. The client
code for cross-realm S4U2Self requests is also now more robust.
I asked at krb5-bugs@mit.edu on Saturday:
https://web.mit.edu/kerberos/krb5-1.17/ says KDC supports S4U2Self requests=
when used with the Samba KDB module, but=20
https://wiki.samba.org/index.php/Roadmap#Active_Directory_Server leaves the=
impression S4U2Self does not work with
Samba. Please clarify.
On which the answer today was:
Subject: [krbdev.mit.edu #8814] Listing third-party KDC modules=20
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
I am not sure what the Samba roadmap entry is referring to. The MIT=20
KDC has supported within-realm S4U2Self since release 1.8. In release=20
1.17, the KDC supports cross-realm S4U2Self, if the KDB module issues=20
appropriate realm referrals. This KDC work was done by a Samba=20
developer, so it is my understanding that the Samba KDB module can=20
issue those referrals.
(There is another S4U2Self case where the client is identified by X.509=20
certificate instead of principal name. This case will be supported in=20
release 1.18, provided that the KDB module implements a new lookup=20
function.)
That said, please update:
https://wiki.samba.org/index.php/Roadmap_MIT_KDC and
https://wiki.samba.org=
/index.php/Roadmap#Active_Directory_Server to
include more precise information on what works and not works with MIT Kerbe=
ro 1.17.
Regards
=D0=94=D0=B8=D0=BB=D1=8F=D0=BD