Short note: PAD does not exist. It was planned, never implemented. The
coffee in FreeIPA KDB driver will reject this setting when using tickets so
do not set it.
Also SSSD expects PAC presence, see SSSD documentation.
Finally, there is no way to resolve users from another realm. Either they
exactly the same as in this realm or ... SSSD has no way to resolve those
users yet.
On Tuesday, February 21, 2023, Jostein Fossheim via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
We are fine with being alone, but seeking knowledge and try to
understand
what we are doing as deeply as possible, is a high priority.
I knew about a problem with digitally unsigned PACs, recently addressed
by
Microsoft and the Samba team. And I do see the problems pointed out in
the slides, and of course that is a problem that breaks Active Directory at
least, since the kerberos-principals and the actual username are separate
entities. In a Unix-only environment without user-access to renaming
accounts, and with a complete control over the principal and username,
space (for both hosts, users and services), and with no trust to external
parties, I still don't see how our setup would be vulnerable. I appreciate
your reservations though.
And just to be clear: The LAB, SAD and MAD, subdomains, are meant as
technological
testing and development grounds, for system tests,
application tests and a playground for making deep-dives into
authentication-systems in general.
One last ting: Any other information about the PAD-approach contra
MS-PAC. If I
enable this in my IPA-deployment, is it actually used and have
consequences? Through a half-hearted google search, I was only able to find
these two sources:
where one
is discussing the implementation/use of PADs ?
Does it make any difference setting:
ipa config-mod --pac-type=nfs:NONE --pac-type=PAD
contra:
ipa config-mod --pac-type=
(where as I understand it everything defaults to NONE-PAC)
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland