Anonymous, s4u and authorization data
ghudson at MIT.EDU
Thu Dec 17 16:16:24 EST 2009
On Thu, 2009-12-17 at 11:07 -0500, Sam Hartman wrote:
> In particular, I think this means that the kdb plugin, and signed
> delegation path plugins will be skipped for anonymous tickets.
> I'm not sure whether this is right. It's quite clear we cannot simply
> call the kdb plugin: we definitely do not want a PAC issued. However I
> haven't really thought through the s4u implications yet. Your thoughts
> would be appreciated.
Perhaps doing this via a function call would be more correct, so that
the kdb plugin could delegate the question to the DB layer. I don't
feel strongly about the issue at this time, though.
I'll defer to Luke on the S4U implications.
More information about the krbdev