ACL for Constrained Delegation?

Greg Hudson ghudson at MIT.EDU
Thu Feb 20 11:59:15 EST 2014


On 02/20/2014 06:34 AM, Rick van Rein wrote:
>  * These specifications do not clarify how the "list of services" is represented in the 
> attribute -- is it done through multiple krbAllowedToDelegateTo attributes (this is 
> permitted) or is there a format such as space-separation or comma-separation?

It's done only through multiple attributes.

>  * These specifications do not clarify how "services" are declared -- probably through 
> their krbPrincipalName or krbCanonicalName?  Or does that depend on the whether there 
> is a krbCanonicalName for the principal?  Are abbreviated forms (dropping the @REALM 
> part) permitted/advised?

Dropping the @REALM part should work if it is equal to the KDC realm.
The value of krbAllowedToDelegateTo is parsed as a principal name using
the standard parsing function, and compared to the target of the
constrained delegation request.

As for aliases, my reading of the code is that we have had some
unintentional behavior changes across versions.

* Up to 1.10, we compared against the server name in the request.
* In 1.11, we compared against the canonical name of the target server.
* In 1.12, we went back to comparing against the requested name.

Although the change from 1.10 to 1.11 wasn't specifically intended, it
might have been desirable in retrospect.  For the moment, you'll need to
list each service an intermediate server might request constrained
delegation to.


More information about the Kerberos mailing list