[37309] in Kerberos
Re: Resource based kerberos constrained delegation
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Nov 8 11:26:37 2015
To: Stefan Dietiker <stefan.dietiker@ergon.ch>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <563F77A2.5020402@mit.edu>
Date: Sun, 8 Nov 2015 11:26:10 -0500
MIME-Version: 1.0
In-Reply-To: <69a9c2ee.0000041c.000000b1@lap-stefan7.ergon.local>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 11/06/2015 07:05 AM, Stefan Dietiker wrote:
> - Is there really a dependency, that krb5-libs must support RBKCD
> (Resource based Kerberos constrained delegation)?
Looking at the latest [MS-S4U] document, it appears so. The
intermediate server must include a PA-PAC-OPTIONS pa-data element
containing the resource-based constrained delegation bit, and it must be
prepared to follow referrals in the KDC response.
> - Does krb5-libs support RBKCD?
No. It's possible that we already follow referrals (this would have to
be tested), but we definitely don't include PA-PAC-OPTIONS with our
S4U2Proxy requests.
> - If not now, are there any plans to support that?
I don't have a timeline to offer. We'd of course be happy to accept
tested patches to support this after review.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
