mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
doc/designs/rbcd.md: document use of S-1-18-* SIDs
Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
parent
667b82a870
commit
0bf0b2d251
@ -20,6 +20,9 @@ A general constrained delegation mechanism described here for the sake of
|
|||||||
completeness. The description is based on the original design document published
|
completeness. The description is based on the original design document published
|
||||||
originally at [FreeIPA wiki page](https://www.freeipa.org/page/V4/Service_Constraint_Delegation).
|
originally at [FreeIPA wiki page](https://www.freeipa.org/page/V4/Service_Constraint_Delegation).
|
||||||
|
|
||||||
|
A general overview of a constrained delegation from Microsoft point of view can
|
||||||
|
be found in [this document](https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview).
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
|
|
||||||
Services for User extensions were introduced as a part of Kerberos
|
Services for User extensions were introduced as a part of Kerberos
|
||||||
@ -387,6 +390,15 @@ Since `KRB5_TL_CONSTRAINED_DELEGATION_ACL` TL data might be present in the
|
|||||||
Kerberos principal KDC object, destructor for the Kerberos principal is
|
Kerberos principal KDC object, destructor for the Kerberos principal is
|
||||||
extended to free the associated memory.
|
extended to free the associated memory.
|
||||||
|
|
||||||
|
Finally, KDB driver follows requirements for [MS-SFU 3.2.5.1.2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ad98268b-f75b-42c3-b09b-959282770642)
|
||||||
|
and adds SIDs `S-1-18-1` or `S-1-18-2` to the MS-PAC structure's `extraSids`
|
||||||
|
field depending on how identity was verified:
|
||||||
|
|
||||||
|
* for non-S4U2Self operation initial PAC structure population includes a SID
|
||||||
|
`S-1-18-1`, as a `AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY`,
|
||||||
|
|
||||||
|
* for S4U operation, instead, a SID `S-1-18-2` is added, as a `SERVICE_ASSERTED_IDENTITY`.
|
||||||
|
|
||||||
### Test Plan
|
### Test Plan
|
||||||
|
|
||||||
General constrained delegation is already used by the IPA management framework
|
General constrained delegation is already used by the IPA management framework
|
||||||
@ -469,8 +481,8 @@ $ ipa service-add-delegation cifs/file.example.test HTTP/web-service.example.tes
|
|||||||
```
|
```
|
||||||
|
|
||||||
Example 5: Test RBCD access by service `HTTP/web-service.example.test` to
|
Example 5: Test RBCD access by service `HTTP/web-service.example.test` to
|
||||||
`cifs/file.example.test`. In this example we assume that RBCD ACL created in
|
`cifs/file.example.test`. In this example we assume that an RBCD ACL created in
|
||||||
examples 2 or 3 exists, there is a keytab `/path/to/web-service.keytab` for
|
examples 1-3 exists, there is a keytab `/path/to/web-service.keytab` for
|
||||||
`HTTP/web-service.example.test`, and a `cifs/file.example.test` service was
|
`HTTP/web-service.example.test`, and a `cifs/file.example.test` service was
|
||||||
created with `ipa-install-samba` tool which ensures a keytab was obtained for
|
created with `ipa-install-samba` tool which ensures a keytab was obtained for
|
||||||
Samba service as well. The presence of keytabs ensures corresponding Kerberos
|
Samba service as well. The presence of keytabs ensures corresponding Kerberos
|
||||||
|
Loading…
Reference in New Issue
Block a user