IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Andrew Bartlett <abartlet@samba.org> Tue, 21 February 2023 19:31 UTC

Return-Path: <abartlet@samba.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB942C151544 for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 11:31:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=samba.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hSszXknIfgVS for <kitten@ietfa.amsl.com>; Tue, 21 Feb 2023 11:31:01 -0800 (PST)
Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC6E3C15E3FC for <kitten@ietf.org>; Tue, 21 Feb 2023 11:31:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Date:Cc:To:From:Message-ID; bh=VGDUgaysdcAUutXlahO+ik92gJxlu8zQuwts+h5bkuU=; b=JEco5yVQ0+aSq3LwvOko1sqMs6 jTwPk4yX8Ck7ESgVpz/obDRrPKRUv5ITaFCeqyEG7vjVhlOgLLyvD4GhNbO/3Cwg6u1NpjAOUPxrs wOKD8SWtskmeun5jF4Q1a2B4B6u0oBCh6Su1dxW2oBq7WHUgzlkt/tXr+c6TSn4WoF64HPInDDU2d g5OXyHGC+lMr4VkB5lv3P7RHXXUg525/4feoXtQ/LYosaZEUeZsjq88EjD8CV74OkKCRkynxKn5JK LoXWZix1qJz4EJbctda3pQjf5IiSPOjhKudO5B50pcjFYa+6zOyD7x6Lhdm/0454t5RLKHL7CD/uA VP2bV48Vln/uZk3EomgyDn5/EWWQhXRorrZXaBe4PfjA+AqbnTDg0k8lgka+1Pm2k6KjJbAmZwWVa vJmqo6yoU2FbU3zjLOff8Sxu1gUxj/WeK3cx0yQkDnMia+49qYFkuaiep2N9ANsllSpqfqTzr8srH kQOkKDKd4yzcqqJxkCGa38Pj;
Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1pUYLn-00FVdN-Pd; Tue, 21 Feb 2023 19:30:56 +0000
Message-ID: <ac32b1085ced6e0813f5ff8205762127149a3eec.camel@samba.org>
From: Andrew Bartlett <abartlet@samba.org>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs=40microsoft.com@dmarc.ietf.org>, Nico Williams <nico@cryptonector.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Date: Wed, 22 Feb 2023 08:30:50 +1300
In-Reply-To: <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com>
References: <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com> <Y/QT7BxdTHq0RYTz@gmail.com> <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com> <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.36.5-0ubuntu1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/NauCDjbBbJP7Stq8n_Zo00HM9uc>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 19:31:08 -0000

My team at Catalyst will be implementing this for the Samba AD DC in
the next year or so, including client tooling.  

That will certainly help a lot with learning how something like this
might work cross-platform.

Andrew,

On Tue, 2023-02-21 at 17:44 +0000, Steve Syfuhs (AP) wrote:
> Here's a useful overview: 
> https://syfuhs.net/how-managed-service-accounts-in-active-directory-work
> 
> 
> Here's the derivation logic: 
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/9cd2fc5e-7305-4fb8-b233-2a60bc3eec68
> 
> 
> Here's how we generate the key generically: 
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/5d373568-dd68-499b-bd06-a3ce16ca7117
> 
> 
> Obviously the AD/Windows-specific stuff wouldn't be appropriate to
> apply to a public spec, but the gist of it might be useful.
> 
> -----Original Message-----
> From: Nico Williams <
> nico@cryptonector.com
> > 
> Sent: Tuesday, February 21, 2023 9:31 AM
> To: Steve Syfuhs (AP) <
> Steve.Syfuhs@microsoft.com
> >
> Cc: Luke Howard Bentata <
> lukeh@padl.com
> >; 
> kitten@ietf.org
> 
> Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and
> implement IAKerb draft-ietf-kitten-iakerb-03
> 
> On Tue, Feb 21, 2023 at 04:44:15PM +0000, Steve Syfuhs (AP) wrote:
> > You might also consider Active Directory's (group) managed service 
> > accounts. At least the group keying mechanism.
> 
> Where would I learn more about that?
> 
> Nico
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst.Net Limited

Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source
Solutions

v2.23.0 | Report a Bug | By Email