Luke Howard lukeh at padl.com
Mon Feb 2 01:30:17 EST 2009

Hi Nikhil,

On 02/02/2009, at 4:12 PM, Nikhil Mishra wrote:

> Thanks Luke and I understand the purpose of db_invoke .
> But then as I understand, for constrained delegation to work on kdc  
> side, db_invoke has to be implemented or at least in some form  
> check_allowed_to_delegate_to should be able to call some db function  
> to check given service principal is allowed to delegate to given  
> proxy_princ .
> Is there any such db function as of now ?

As I mentioned: there is no implementation in any of the backends  
shipped with MIT; you'll need to implement this yourself.

> If I understand it correctly from previous email exchanges  
> constrained delegation should work on kdc side for MIT kerberos ?

The only db_invoke implementation presently is the (proprietary)  
Novell DSfW backend.

-- Luke

More information about the krbdev mailing list