[16276] in Kerberos_V5_Development
Re: Project Review: kinit -C
daemon@ATHENA.MIT.EDU (Luke Howard)
Wed Sep 15 09:21:00 2010
Mime-Version: 1.0 (Apple Message framework v1081)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <tsl7hionls6.fsf@live.mit.edu>
Date: Wed, 15 Sep 2010 15:20:23 +0200
Message-Id: <D7A856EB-8EA8-40A4-A5F4-201F12993437@padl.com>
To: Sam Hartman <hartmans@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
> Luke> Um, can't we use S4U2Self for this? Or am I missing something
> Luke> very obvious?
>
> Are s4u2self tickets marked as such?
No, they're not. S4U2Self is always permitted; the real policy knob concerns whether it can get you forwardable tickets, which you can then use with S4U2Proxy. S4U2Proxy (constrained delegation) tickets are marked with the delegation path.
Presently it is impossible to use S4U2Proxy to acquire a TGT: there's a specific check to disallow this.
What we could do is allow you to use S4U2Proxy to get a TGT contingent on some policy knob. If we need to mark tickets then we can do it with MANDATORY-FOR-KDC authorisation data.
The only catch is that the administrative accounts cannot have KRB5_KDB_DISALLOW_SVR if they are to be used with S4U2Proxy.
-- Luke
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
