Resource based kerberos constrained delegation
Greg Hudson
ghudson at mit.edu
Sun Nov 8 11:26:10 EST 2015
On 11/06/2015 07:05 AM, Stefan Dietiker wrote:
> - Is there really a dependency, that krb5-libs must support RBKCD
> (Resource based Kerberos constrained delegation)?
Looking at the latest [MS-S4U] document, it appears so. The
intermediate server must include a PA-PAC-OPTIONS pa-data element
containing the resource-based constrained delegation bit, and it must be
prepared to follow referrals in the KDC response.
> - Does krb5-libs support RBKCD?
No. It's possible that we already follow referrals (this would have to
be tested), but we definitely don't include PA-PAC-OPTIONS with our
S4U2Proxy requests.
> - If not now, are there any plans to support that?
I don't have a timeline to offer. We'd of course be happy to accept
tested patches to support this after review.
More information about the Kerberos
mailing list