Unclear about Kerberos' Concepts

Rick van Rein (OpenFortress) rick at openfortress.nl
Sat Oct 5 09:42:28 EDT 2013


Hello,

Not all the concepts in Kerberos are entirely clear to me yet.  Maybe this list can help?

I am clear on the difference between client and server -- the client takes the initiative to contact a server.

I am less clear about the difference between users and services though -- are these kinds of principals that we as users have in mind, or is it somelike "user is always a client" and/or "service is always a server" also carved in stone in the Kerberos system and its conceptual design?  Or could a user contact a user; could a service contact a service; could a service contact a user?  (I mean with their own name, so without tricks like Ticket Forwarding or S4USelf/Proxy.)

Delegation would be the way that I can tell a secretary, or a bot, to act on my behalf.  Does this also fall under Constrained Delegation?  In other words, can I setup krbAllowedToDelegateTo in LDAP and will CHECK_ALLOWED_TO_DELEGATE be called in such cases?

I'm still looking how to tell the system that I want to make such a delegation, by the way.  Am using krb5-user on Linux as well as Mac OS X Mountain Lion.  Anyone?


Thanks!

Rick van Rein
OpenFortress


More information about the Kerberos mailing list