Resource based kerberos constrained delegation

Greg Hudson ghudson at mit.edu
Sun Nov 8 11:26:10 EST 2015


On 11/06/2015 07:05 AM, Stefan Dietiker wrote:
> - Is there really a dependency, that krb5-libs must support RBKCD
> (Resource based Kerberos constrained delegation)?

Looking at the latest [MS-S4U] document, it appears so.  The
intermediate server must include a PA-PAC-OPTIONS pa-data element
containing the resource-based constrained delegation bit, and it must be
prepared to follow referrals in the KDC response.

> - Does krb5-libs support RBKCD?

No.  It's possible that we already follow referrals (this would have to
be tested), but we definitely don't include PA-PAC-OPTIONS with our
S4U2Proxy requests.

> - If not now, are there any plans to support that?

I don't have a timeline to offer.  We'd of course be happy to accept
tested patches to support this after review.


More information about the Kerberos mailing list