Project Review: kinit -C

Luke Howard lukeh at padl.com
Wed Sep 15 09:20:23 EDT 2010


>    Luke> Um, can't we use S4U2Self for this? Or am I missing something
>    Luke> very obvious?
> 
> Are s4u2self tickets marked as such?

No, they're not. S4U2Self is always permitted; the real policy knob concerns whether it can get you forwardable tickets, which you can then use with S4U2Proxy. S4U2Proxy (constrained delegation) tickets are marked with the delegation path.

Presently it is impossible to use S4U2Proxy to acquire a TGT: there's a specific check to disallow this.

What we could do is allow you to use S4U2Proxy to get a TGT contingent on some policy knob. If we need to mark tickets then we can do it with MANDATORY-FOR-KDC authorisation data.

The only catch is that the administrative accounts cannot have KRB5_KDB_DISALLOW_SVR if they are to be used with S4U2Proxy.

-- Luke



More information about the krbdev mailing list