[37543] in Kerberos
Re: AW: Resource based kerberos constrained delegation
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Jun 28 10:59:37 2016
To: Stefan Dietiker <stefan.dietiker@ergon.ch>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <577290B6.8040702@mit.edu>
Date: Tue, 28 Jun 2016 10:59:02 -0400
MIME-Version: 1.0
In-Reply-To: <007e01d1d124$617f1000$247d3000$@ergon.ch>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 06/28/2016 06:03 AM, Stefan Dietiker wrote:
> A few months ago I have asked you whether it is possible with krb5-libs to
> do Resource Based Kerberos Constrained Delegation or not. You mentioned
> that the Kerberos libs does not include the PA-PAC-OPTIONS which are
> required for this purpose. Recently I was tracking the changes in the git
> repo and realized that a new option "--request-pac" is available.
I don't believe this change bears any relation to resource based
constrained delegation. PA-PAC-REQUEST is different from PA-PAC-OPTIONS.
(I would also assume there is substantially more to implementing
resource based constrained delegation on the client than just sending
the PA-PAC-OPTIONS bit, or there would be no reason to have the bit in
the protocol.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
