AW: Resource based kerberos constrained delegation
Greg Hudson
ghudson at mit.edu
Tue Jun 28 10:59:02 EDT 2016
On 06/28/2016 06:03 AM, Stefan Dietiker wrote:
> A few months ago I have asked you whether it is possible with krb5-libs to
> do Resource Based Kerberos Constrained Delegation or not. You mentioned
> that the Kerberos libs does not include the PA-PAC-OPTIONS which are
> required for this purpose. Recently I was tracking the changes in the git
> repo and realized that a new option "--request-pac" is available.
I don't believe this change bears any relation to resource based
constrained delegation. PA-PAC-REQUEST is different from PA-PAC-OPTIONS.
(I would also assume there is substantially more to implementing
resource based constrained delegation on the client than just sending
the PA-PAC-OPTIONS bit, or there would be no reason to have the bit in
the protocol.)
More information about the Kerberos
mailing list