> On 03/15/2017 11:39 AM, Osipov, Michael wrote: > > So there is basically no way to tell MIT Kerberos if you home realm is > > unable to route the request, it should try other realms, correct? > > No; we have a fallback realm mechanism in the TGS client code, but it > only tries one realm (determined by TXT records or DNS heuristics) and > you can't configure a list. > > We haven't implemented a TGS realm search path because: > > 1. It's not completely secure, in that an attacker can forge error > messages to make the client walk the list past the ideal destination for > a given service. FAST TGS was supposed to fix this, but for various > reasons it doesn't.
At which point would attacker be able to forge a message? DNS updates here are via GSS-TSIG only. Krb5.conf can be changed by root only. I would expect this search list reside in krb5.conf.Nein > 2. The TGS client code is already really complicated, and we're > reluctant to add more complexity to code that is hard to understand as > it is. > > 3. There are some caching concerns, which if left unaddressed would lead > to a lot of repeated TGS requests to the earlier realms. Acknowledged. > That said, I'm told Heimdal recently added support for a feature like > this, so if Microsoft does as well, that makes us the odd one out, and > we should perhaps reconsider. I checked Heimdal's git log from today back to 2015, haven't found anything. Can you name the change in particular? If you are up to reconsidering, I asked a related topic almost a year ago [1] Without any answer. The search order issue only applies to SPNs with two components -- namely without a realm indication. Can you create a ticket for this feature in your bug tracker? If you reach some code state, I can test anytime from master. I have several huge forests at hand. Just ping me privately. Best regards, Michael [1] https://www.mail-archive.com/kerberos@mit.edu/msg21765.html ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
