OK-AS-DELEGATE FLAG setting.
jc at F5.com
Wed May 7 12:37:19 EDT 2008
FWIW: microsoft sets this when a principal is "trusted for delegation"
in Active Directory. When a microsoft client is connecting to a
CIFS-based service and the OK_AS_DELEGATE flag is set, the microsoft
client fetches a forwardable TGT and wraps that up in the authentication
material along with the service ticket.
> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu]
> On Behalf Of Douglas E. Engert
> Sent: Wednesday, May 07, 2008 12:22
> To: Ken Raeburn
> Cc: krbdev at mit.edu
> Subject: Re: OK-AS-DELEGATE FLAG setting.
> Ken Raeburn wrote:
> > On May 7, 2008, at 02:27, josephharfouch at iinet.net.au wrote:
> >> Does the MIT kerberos source code set the OK-AS-DELEGATE flag
> >> (TKT_FLG_OK_AS_DELEGATE), and if yes, then under what
> > No. Our code will display the flag in "klist" output, but has no
> > support for setting it at present.
> >> I am conducting a cross platform test where the gss client
> and server
> >> are using the z/OS Kerberos implementation, but the KDC is
> using the
> >> MIT implementation. The test case fails, unless I tell the z/OS
> >> kerberos implementation code to ignore the delegate check
> test. (We
> >> have a check_delegate flag that is turned on by default,
> but we can
> >> turn it off in krb5.conf), so I am wondering if turning
> off the check
> >> is the best way to proceed.
> > It certainly sounds like the easiest way to proceed. Modifying the
> > MIT code to set the flag (perhaps controlled by policies,
> perhaps only
> > by per-principal flags? needs some thought) would be more work, but
> > would let you retain the check.
> If I recall, there was a request from one of the other Labs
> to have MIT clients check for the flag being set, much like a
> Windows SSPI client does before delegating. So it might be a
> good feature to allow
> the KDC set the flag based on per-server flags. As it allows a
> client to authenticate to a semi-trusted server, but not
> delegate to it. Gives the realm admin some control over what
> machines are trusted with delegated credentials.
> FireFox or other browsers using SPNEGO may also check the
> flag, they probably don't today but they may in the future.
> On Windows the ksetup /setRealmFlags Delegate can override
> the test for non-Windows realms.
> > Ken
> > _______________________________________________
> > krbdev mailing list krbdev at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> krbdev mailing list krbdev at mit.edu
More information about the krbdev