Kerberos Feature Request

[Russ Allbery]

Henry B Hotz <hotz at jpl.nasa.gov> writes:

> I'm not sure if we're on the same wavelength or not.  Let me try again:
> I think there should be a standard way to fill in PAC data from outside
> the KDC.  Yes the obvious application is replacing a windows domain
> controller, but that's not the point because that's not what I'm asking
> for.  How can anyone make use of the PAC data option to the standard if
> there's no way to get useful data into the field?

It sounds to me like what you're trying to get at is that you'd love to
see a standardized authorization service that cooperates with Kerberos.

I'd like to see that too, but it's a very hard problem, and it's not clear
to me that it's one that we're in a position to make a lot of forward
progress on.  There was one significant attempt at doing something like
this (DCE) that mostly wasn't successful, but it probably tried to do
*too* much.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>