Alternative proxy-creds API for constrained-delegation

Nico Williams nico at
Tue Jun 2 23:30:47 EDT 2020

On Wed, Jun 03, 2020 at 01:29:23AM +0200, Isaac Boukris wrote:
> On Wed, Jun 3, 2020 at 12:05 AM Nico Williams <nico at> wrote:
> > On Tue, Jun 02, 2020 at 08:35:14PM +0200, Isaac Boukris wrote:
> > > I'd still love to see an application signal for the service ticket
> > > using a cred option or name attribute, more likely to help in samba.
> >
> > What exactly would the option specify?  I'm certain we can fit it in one
> > of three different ways though.
> It could specify the delegation-policy for this creds/context for
> example, or we can make the ticket always available via
> name-attributes like Simo suggested, but that would be somewhat
> unrelated work.

So you're saying you want to be able to say "only accept traditional
delegated credentials, don't do S4U2Proxy" and also be able to say
"either is fine"?  And configuration is not enough?  Anyways, my
preference for that is to use gss_acquire_cred_from().

More information about the krbdev mailing list