Nikhil Mishra ls.niks at gmail.com
Wed Feb 4 01:43:06 EST 2009

I was able to successfully do S4U request against windows KDC using MIT
kerberos as clients .
Now , I am working on providing the API's.

I have following two issues now :

1. The problem is with limitations in existing API to accomodate the
incoming user principal .

We can create a PA_DATA_FOR_USER in here

krb5_error_code krb5_get_cred_via_tkt
                   krb5_creds *,
                   krb5_address * const *,
                   krb5_creds *,
                   krb5_creds **);

This should be modified to be able to take a client name as well.
Please add commnets/reviews.

2. Since I understand the constrained delegation feature is committed only
in current trunk,
What is the timeline we are looking forward to for next stable release for
MIT kerberos ?


On Mon, Feb 2, 2009 at 12:00 PM, Luke Howard <lukeh at padl.com> wrote:

> Hi Nikhil,
> On 02/02/2009, at 4:12 PM, Nikhil Mishra wrote:
>  Thanks Luke and I understand the purpose of db_invoke .
>> But then as I understand, for constrained delegation to work on kdc side,
>> db_invoke has to be implemented or at least in some form
>> check_allowed_to_delegate_to should be able to call some db function to
>> check given service principal is allowed to delegate to given proxy_princ .
>> Is there any such db function as of now ?
> As I mentioned: there is no implementation in any of the backends shipped
> with MIT; you'll need to implement this yourself.
>  If I understand it correctly from previous email exchanges constrained
>> delegation should work on kdc side for MIT kerberos ?
> The only db_invoke implementation presently is the (proprietary) Novell
> DSfW backend.
> -- Luke

More information about the krbdev mailing list