Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
mrex@sap.com (Martin Rex) Wed, 30 August 2017 22:37 UTC
Return-Path: <mrex@sap.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1980313294B for <kitten@ietfa.amsl.com>; Wed, 30 Aug 2017 15:37:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F93rbrZn14vY for <kitten@ietfa.amsl.com>; Wed, 30 Aug 2017 15:37:35 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C75261200F3 for <kitten@ietf.org>; Wed, 30 Aug 2017 15:37:34 -0700 (PDT)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 3xjL3w6kxvz1HBc; Thu, 31 Aug 2017 00:37:32 +0200 (CEST)
X-purgate-ID: 152705::1504132652-00000805-1EE4DD83/0/0
X-purgate-size: 2274
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3xjL3w3GgTzGnyY; Thu, 31 Aug 2017 00:37:32 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 6A91B1A6EC; Thu, 31 Aug 2017 00:37:32 +0200 (CEST)
In-Reply-To: <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
To: Stefan Metzmacher <metze@samba.org>
Date: Thu, 31 Aug 2017 00:37:32 +0200
CC: Simo Sorce <simo@redhat.com>, Greg Hudson <ghudson@mit.edu>, heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>, Samba Technical <samba-technical@lists.samba.org>
Reply-To: mrex@sap.com
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20170830223732.6A91B1A6EC@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/02No9I7ws-qjjWtJ1I4Cb9MyJW4>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Aug 2017 22:37:37 -0000
Stefan Metzmacher wrote: > >>> I guess the proposed credential option is necessary, in that case. >>> >> >> I think in this case ignoring the flag should probably be conditional >> to whether a PAC is present. > > We should enforce a PAC always to be present, as we don't support > trusted domains with LSA_TRUST_TYPE_MIT anyway. I haven't really followed the discussion here, but Microsoft PACs are a royal PITA, wasting huge amounts of network bandwidth, creating bad latency on authentication, causing spurious authentication failures during high-load situations and completely breaking certain rfc4559 HTTP Negotiate scenarios when users are assigned to lots of groups in Microsoft AD. Bottlenecks in LSA PAC verifications are extremely annoying, such as using Outlook&Exchange with 50k+ Users and at least once an hour an Outlook Password logon prompt pops up because one of the crazy many rfc4559 Kerberos authentications failed between Outlook and Exchange. (Hitting cancel on the popup and toggling offline/online in the Outlook window status bar retries Kerberos authentication and typically succeeds... Simply disabling PACs on the service account for service tickets solves all of the hard and annoying problems, by enabling the bit UF_NO_AUTH_DATA_REQUIRED (0x02000000) in the UserAccountControl property of the service account. Without setting this bit to omit the crazy PACs, common problems with heavy (mindless) Group membership usage are this: https://blogs.technet.microsoft.com/shanecothran/2010/07/16/maxtokensize-and-kerberos-token-bloat/ Reasons why the myriads of PAC verfications occasionally fail: https://blogs.technet.microsoft.com/instan/2011/11/14/the-return-of-pac-mania-aka-some-reasons-why-pac-verification-can-fail/ and btw. huge kerberos tickets can also make rfc4559 fail because of the excessive size of the HTTP header field to carry the AP_REQ with the kerberos ticket. Whenever authorization isn't actually managed through PACs, i.e. pretty much 100% of the time when the backend is a database and access through rfc4559 HTTP Negotiate, omitting PACs from Kerberos tickets comes close to a universal panacea for a huge amount of "occasional" failures. -Martin
- [kitten] Checking the transited list of a kerbero… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- [kitten] Tangent from: Checking the transited lis… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Simo Sorce
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Simo Sorce
- Re: [kitten] Checking the transited list of a ker… Viktor Dukhovni
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Simo Sorce
- Re: [kitten] Checking the transited list of a ker… Martin Rex
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Nico Williams
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Nico Williams
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Isaac Boukris
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher