db_invoke
Nikhil Mishra
ls.niks at gmail.com
Wed Feb 4 01:43:06 EST 2009
I was able to successfully do S4U request against windows KDC using MIT
kerberos as clients .
Now , I am working on providing the API's.
I have following two issues now :
1. The problem is with limitations in existing API to accomodate the
incoming user principal .
We can create a PA_DATA_FOR_USER in here
krb5_error_code krb5_get_cred_via_tkt
(krb5_context,
krb5_creds *,
krb5_flags,
krb5_address * const *,
krb5_creds *,
krb5_creds **);
This should be modified to be able to take a client name as well.
Please add commnets/reviews.
2. Since I understand the constrained delegation feature is committed only
in current trunk,
What is the timeline we are looking forward to for next stable release for
MIT kerberos ?
--Nikhil
On Mon, Feb 2, 2009 at 12:00 PM, Luke Howard <lukeh at padl.com> wrote:
> Hi Nikhil,
>
> On 02/02/2009, at 4:12 PM, Nikhil Mishra wrote:
>
> Thanks Luke and I understand the purpose of db_invoke .
>>
>> But then as I understand, for constrained delegation to work on kdc side,
>> db_invoke has to be implemented or at least in some form
>> check_allowed_to_delegate_to should be able to call some db function to
>> check given service principal is allowed to delegate to given proxy_princ .
>>
>> Is there any such db function as of now ?
>>
>
> As I mentioned: there is no implementation in any of the backends shipped
> with MIT; you'll need to implement this yourself.
>
> If I understand it correctly from previous email exchanges constrained
>> delegation should work on kdc side for MIT kerberos ?
>>
>
> The only db_invoke implementation presently is the (proprietary) Novell
> DSfW backend.
>
> -- Luke
>
More information about the krbdev
mailing list