in Kerberos_Protocol
Re: Ticket extensions in Kerberos revisions
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Wed May 3 15:29:13 2000
To: Nicolas Williams <firstname.lastname@example.org>
Cc: cat-ietf@MIT.EDU, krb-protocol@MIT.EDU
In-Reply-To: Your message of "Tue, 02 May 2000 16:09:20 EDT."
Date: Wed, 03 May 2000 14:14:40 -0400
From: Ken Hornstein <email@example.com>
>The second signature, the one signed with the KDC's key, is there so
>that non-system services (services that don't have local priviledges to
>start with, i.e., services which "don't run as root") can ask the OS to
>let them assume the credentials of the remote user. In such cases the OS
>has to check a PAC signature that the service itself couldn't fake.
Maybe this is a MS thing - but explain to me again why the non-system service
needs the ability to become the remote user?