[37541] in Kerberos
AW: Resource based kerberos constrained delegation
daemon@ATHENA.MIT.EDU (Stefan Dietiker)
Tue Jun 28 06:04:17 2016
From: Stefan Dietiker <stefan.dietiker@ergon.ch>
To: "Greg Hudson" <ghudson@mit.edu>, <kerberos@mit.edu>
In-Reply-To: <563F77A2.5020402@mit.edu>
Date: Tue, 28 Jun 2016 12:03:55 +0200 (CEST)
Message-ID: <007e01d1d124$617f1000$247d3000$@ergon.ch>
MIME-Version: 1.0
Content-Language: de-ch
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Greg
A few months ago I have asked you whether it is possible with krb5-libs to
do Resource Based Kerberos Constrained Delegation or not. You mentioned
that the Kerberos libs does not include the PA-PAC-OPTIONS which are
required for this purpose. Recently I was tracking the changes in the git
repo and realized that a new option "--request-pac" is available. I
started to test with the following version "
https://github.com/krb5/krb5/commit/c969e8a37617e9c7743a28177dd3808f7d08ce
e9"
Despite the fact that I am using the "--request-pac" argument for kinit,
RBKCD does not work. I always get the following error message from the
trusted child domain:
"kvno: KDC policy rejects request ..."
Before spending too much time into further analysis I want you to ask
whether the mentioned krb5-libs version supports RBKCD or not. I would
appreciate if you can answer me that question.
Regards
Stefan
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
