ls.niks at gmail.com
Wed Feb 4 01:43:06 EST 2009
I was able to successfully do S4U request against windows KDC using MIT
kerberos as clients .
Now , I am working on providing the API's.
I have following two issues now :
1. The problem is with limitations in existing API to accomodate the
incoming user principal .
We can create a PA_DATA_FOR_USER in here
krb5_address * const *,
This should be modified to be able to take a client name as well.
Please add commnets/reviews.
2. Since I understand the constrained delegation feature is committed only
in current trunk,
What is the timeline we are looking forward to for next stable release for
MIT kerberos ?
On Mon, Feb 2, 2009 at 12:00 PM, Luke Howard <lukeh at padl.com> wrote:
> Hi Nikhil,
> On 02/02/2009, at 4:12 PM, Nikhil Mishra wrote:
> Thanks Luke and I understand the purpose of db_invoke .
>> But then as I understand, for constrained delegation to work on kdc side,
>> db_invoke has to be implemented or at least in some form
>> check_allowed_to_delegate_to should be able to call some db function to
>> check given service principal is allowed to delegate to given proxy_princ .
>> Is there any such db function as of now ?
> As I mentioned: there is no implementation in any of the backends shipped
> with MIT; you'll need to implement this yourself.
> If I understand it correctly from previous email exchanges constrained
>> delegation should work on kdc side for MIT kerberos ?
> The only db_invoke implementation presently is the (proprietary) Novell
> DSfW backend.
> -- Luke
More information about the krbdev