You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This came up on sssd-devel when discussing one-way trust design. I'm
pasting the discussion below:
Another thing to remember is a potential need to limit enctypes you'd be
requesting because camellia ciphers are not know to AD and might cause
issues at some point.
SSSD should not be in the business of creating keytabs, it should only
be allowed to retrieve a precreated key, so SSSD shouldn't care about
enctypes, it will get only those that the FreeIPA code stored in the key
in LDAP.
So this means ipasam needs to limit enctypes when asking for the keys.
Yes it should only ask for encrypts that the AD server on the other side
understand, but only for good measure. The key used is alwasy determined
by the KDC (AD in this case) so having additional keys in the keytab is
not a problem. A problem would rather be to miss enctypes, as the KDC
could decide to encode a ticket/TGT in one of the missing enctypes then
and we would not be able to decrypt.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2640
This came up on sssd-devel when discussing one-way trust design. I'm
pasting the discussion below:
Another thing to remember is a potential need to limit enctypes you'd be
requesting because camellia ciphers are not know to AD and might cause
issues at some point.
SSSD should not be in the business of creating keytabs, it should only
be allowed to retrieve a precreated key, so SSSD shouldn't care about
enctypes, it will get only those that the FreeIPA code stored in the key
in LDAP.
So this means ipasam needs to limit enctypes when asking for the keys.
Comments
Comment from jhrozek at 2015-04-28 12:51:41
One more message in the thread, by Simo:
Yes it should only ask for encrypts that the AD server on the other side
understand, but only for good measure. The key used is alwasy determined
by the KDC (AD in this case) so having additional keys in the keytab is
not a problem. A problem would rather be to miss enctypes, as the KDC
could decide to encode a ticket/TGT in one of the missing enctypes then
and we would not be able to decrypt.
Comment from jhrozek at 2015-04-28 12:54:06
Sorry, I meant to file this ticket in the freeipa trac..
resolution: => invalid
status: new => closed
Comment from jhrozek at 2017-02-24 14:28:43
Metadata Update from @jhrozek:
The text was updated successfully, but these errors were encountered: