doc/designs/rbcd.md: document use of S-1-18-* SIDs

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Alexander Bokovoy 2023-04-04 17:15:43 +03:00 committed by Rob Crittenden
parent 667b82a870
commit 0bf0b2d251

View File

@ -20,6 +20,9 @@ A general constrained delegation mechanism described here for the sake of
completeness. The description is based on the original design document published completeness. The description is based on the original design document published
originally at [FreeIPA wiki page](https://www.freeipa.org/page/V4/Service_Constraint_Delegation). originally at [FreeIPA wiki page](https://www.freeipa.org/page/V4/Service_Constraint_Delegation).
A general overview of a constrained delegation from Microsoft point of view can
be found in [this document](https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview).
## Introduction ## Introduction
Services for User extensions were introduced as a part of Kerberos Services for User extensions were introduced as a part of Kerberos
@ -387,6 +390,15 @@ Since `KRB5_TL_CONSTRAINED_DELEGATION_ACL` TL data might be present in the
Kerberos principal KDC object, destructor for the Kerberos principal is Kerberos principal KDC object, destructor for the Kerberos principal is
extended to free the associated memory. extended to free the associated memory.
Finally, KDB driver follows requirements for [MS-SFU 3.2.5.1.2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ad98268b-f75b-42c3-b09b-959282770642)
and adds SIDs `S-1-18-1` or `S-1-18-2` to the MS-PAC structure's `extraSids`
field depending on how identity was verified:
* for non-S4U2Self operation initial PAC structure population includes a SID
`S-1-18-1`, as a `AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY`,
* for S4U operation, instead, a SID `S-1-18-2` is added, as a `SERVICE_ASSERTED_IDENTITY`.
### Test Plan ### Test Plan
General constrained delegation is already used by the IPA management framework General constrained delegation is already used by the IPA management framework
@ -469,8 +481,8 @@ $ ipa service-add-delegation cifs/file.example.test HTTP/web-service.example.tes
``` ```
Example 5: Test RBCD access by service `HTTP/web-service.example.test` to Example 5: Test RBCD access by service `HTTP/web-service.example.test` to
`cifs/file.example.test`. In this example we assume that RBCD ACL created in `cifs/file.example.test`. In this example we assume that an RBCD ACL created in
examples 2 or 3 exists, there is a keytab `/path/to/web-service.keytab` for examples 1-3 exists, there is a keytab `/path/to/web-service.keytab` for
`HTTP/web-service.example.test`, and a `cifs/file.example.test` service was `HTTP/web-service.example.test`, and a `cifs/file.example.test` service was
created with `ipa-install-samba` tool which ensures a keytab was obtained for created with `ipa-install-samba` tool which ensures a keytab was obtained for
Samba service as well. The presence of keytabs ensures corresponding Kerberos Samba service as well. The presence of keytabs ensures corresponding Kerberos