MIT Kerberos strips out authentication indicators at the realm boundary. In IPA-to-IPA trust case it makes impossible to recognize that a user from a trusted domain was authenticated using a particular pre-authentication mechanism, thus making impossible to grant access to protected Kerberos services.
issue_pac KDB API allows to modify list of authentication indicators that a KDC will issue. issue_pac is called for both AS-REQ and TGS-REQ processing. When KRB5_KDB_FLAG_CROSS_REALM flag is passed to issue_pac, the PAC fields will be coming from the trusted KDC and we can analyze them and grant indicators in our realm. PAC record is encrypted and signed by the KDC of the trusted realm as well; our KDC validates the PAC integrity prior to calling issue_pac.
issue_pac
KRB5_KDB_FLAG_CROSS_REALM
PAC record contains group membership information and SIDs are namespaced, allowing for passing through contextual details. Microsoft Active Directory already uses well-known SIDs to express some of those details, in MS-DTYP specification: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab
For example, following well-known SIDs used by Active Directory to express some of the meanings close to logic we handle with authentication indicators:
Tasks:
Log in to comment on this ticket.