AW: Resource based kerberos constrained delegation

Stefan Dietiker stefan.dietiker at ergon.ch
Tue Jun 28 06:03:55 EDT 2016


Hi Greg

A few months ago I have asked you whether it is possible with krb5-libs to
do Resource Based Kerberos Constrained Delegation or not. You mentioned
that the Kerberos libs does not include the PA-PAC-OPTIONS which are
required for this purpose. Recently I was tracking the changes in the git
repo and realized that a new option "--request-pac" is available. I
started to test with the following version "
https://github.com/krb5/krb5/commit/c969e8a37617e9c7743a28177dd3808f7d08ce
e9"

Despite the fact that I am using the "--request-pac" argument for kinit,
RBKCD does not work. I always get the following error message from the
trusted child domain:
"kvno: KDC policy rejects request ..." 

Before spending too much time into further analysis I want you to ask
whether the mentioned krb5-libs version supports RBKCD or not. I would
appreciate if you can answer me that question.

Regards
Stefan


More information about the Kerberos mailing list