Alternative proxy-creds API for constrained-delegation

Isaac Boukris iboukris at
Wed Jun 3 07:45:54 EDT 2020

Removing heimdal-discuss to avoid duplicates.

On Wed, Jun 3, 2020 at 5:30 AM Nico Williams <nico at> wrote:
> On Wed, Jun 03, 2020 at 01:29:23AM +0200, Isaac Boukris wrote:
> > On Wed, Jun 3, 2020 at 12:05 AM Nico Williams <nico at> wrote:
> > > On Tue, Jun 02, 2020 at 08:35:14PM +0200, Isaac Boukris wrote:
> > > > I'd still love to see an application signal for the service ticket
> > > > using a cred option or name attribute, more likely to help in samba.
> > >
> > > What exactly would the option specify?  I'm certain we can fit it in one
> > > of three different ways though.
> >
> > It could specify the delegation-policy for this creds/context for
> > example, or we can make the ticket always available via
> > name-attributes like Simo suggested, but that would be somewhat
> > unrelated work.
> So you're saying you want to be able to say "only accept traditional
> delegated credentials, don't do S4U2Proxy" and also be able to say
> "either is fine"?  And configuration is not enough?  Anyways, my
> preference for that is to use gss_acquire_cred_from().

Yeah, I want a way to override the krb5.conf defaults, when the app
knows exactly what it wants, and wants to know what it gets.

I think context option would have been more adequate if we had, but
cred-based is fine too.

More information about the krbdev mailing list