Anonymous, s4u and authorization data

Greg Hudson ghudson at MIT.EDU
Thu Dec 17 16:16:24 EST 2009

On Thu, 2009-12-17 at 11:07 -0500, Sam Hartman wrote:
> In particular, I think this means that the kdb plugin, and signed
> delegation path plugins will be skipped for anonymous tickets.
> I'm not sure whether this is right.  It's quite clear we cannot simply
> call the kdb plugin: we definitely do not want a PAC issued.  However I
> haven't really thought through the s4u implications yet.  Your thoughts
> would be appreciated.

Perhaps doing this via a function call would be more correct, so that
the kdb plugin could delegate the question to the DB layer.  I don't
feel strongly about the issue at this time, though.

I'll defer to Luke on the S4U implications.

More information about the krbdev mailing list