We are fine with being alone, but seeking knowledge and try to understand what we are
doing as deeply as possible, is a high priority.
I knew about a problem with digitally unsigned PACs, recently addressed by Microsoft and
the Samba team. And I do see the problems pointed out in the slides, and of course that is
a problem that breaks Active Directory at least, since the kerberos-principals and the
actual username are separate entities. In a Unix-only environment without user-access to
renaming accounts, and with a complete control over the principal and username, space (for
both hosts, users and services), and with no trust to external parties, I still don't
see how our setup would be vulnerable. I appreciate your reservations though.
And just to be clear: The LAB, SAD and MAD, subdomains, are meant as technological testing
and development grounds, for system tests, application tests and a playground for making
deep-dives into authentication-systems in general.
One last ting: Any other information about the PAD-approach contra MS-PAC. If I enable
this in my IPA-deployment, is it actually used and have consequences? Through a
half-hearted google search, I was only able to find these two sources:
https://www.freeipa.org/page/V3/Read_and_use_per_service_pac_type
https://datatracker.ietf.org/doc/html/draft-ietf-krb-wg-pad-01
Is there any internal freeIPA-development discussion, that one can read where one is
discussing the implementation/use of PADs ?
Does it make any difference setting:
ipa config-mod --pac-type=nfs:NONE --pac-type=PAD
contra:
ipa config-mod --pac-type=
(where as I understand it everything defaults to NONE-PAC)