Short note: PAD does not exist. It was planned, never implemented. The coffee in FreeIPA KDB driver will reject this setting when using tickets so do not set it.
Also SSSD expects PAC presence, see SSSD documentation. Finally, there is no way to resolve users from another realm. Either they exactly the same as in this realm or ... SSSD has no way to resolve those users yet. On Tuesday, February 21, 2023, Jostein Fossheim via FreeIPA-users < [email protected]> wrote: > We are fine with being alone, but seeking knowledge and try to understand what we are doing as deeply as possible, is a high priority. > > I knew about a problem with digitally unsigned PACs, recently addressed by Microsoft and the Samba team. And I do see the problems pointed out in the slides, and of course that is a problem that breaks Active Directory at least, since the kerberos-principals and the actual username are separate entities. In a Unix-only environment without user-access to renaming accounts, and with a complete control over the principal and username, space (for both hosts, users and services), and with no trust to external parties, I still don't see how our setup would be vulnerable. I appreciate your reservations though. > > And just to be clear: The LAB, SAD and MAD, subdomains, are meant as technological testing and development grounds, for system tests, application tests and a playground for making deep-dives into authentication-systems in general. > > One last ting: Any other information about the PAD-approach contra MS-PAC. If I enable this in my IPA-deployment, is it actually used and have consequences? Through a half-hearted google search, I was only able to find these two sources: > > https://www.freeipa.org/page/V3/Read_and_use_per_service_pac_type > https://datatracker.ietf.org/doc/html/draft-ietf-krb-wg-pad-01 > > Is there any internal freeIPA-development discussion, that one can read where one is discussing the implementation/use of PADs ? > > Does it make any difference setting: > > ipa config-mod --pac-type=nfs:NONE --pac-type=PAD > > contra: > > ipa config-mod --pac-type= > > (where as I understand it everything defaults to NONE-PAC) > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
