Simo Sorce ssorce at redhat.com
Wed May 7 16:23:27 EDT 2008

On Wed, 2008-05-07 at 12:37 -0400, JC Ferguson wrote:
> FWIW: microsoft sets this when a principal is "trusted for delegation"
> in Active Directory.  When a microsoft client is connecting to a
> CIFS-based service and the OK_AS_DELEGATE flag is set, the microsoft
> client fetches a forwardable TGT and wraps that up in the authentication
> material along with the service ticket. 

It would be very useful to have a flag like that to mark trusted
Being able to forward TGTs is very useful in some cases, but the
downside is that then you end up forwarding it just to everybody. Being
able to say, at the KDC level, whom the client should fully trust or not
would be a major improvement.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list