[38963] in Kerberos
Re: Query regarding S4U2Self protocol extension
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Tue Jul 27 12:31:28 2021
MIME-Version: 1.0
In-Reply-To: <CAMeQEL_sJojTFJA0XWHNoVjPV-=_yGSMD7LpegF2QHR+PVC0Dg@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 27 Jul 2021 19:28:19 +0300
Message-ID: <CAC-fF8S7PSPdFuVT31zEgkyiQ2WPyESRzY28FSOxSXh7=01rYw@mail.gmail.com>
To: Vipul Mehta <vipulmehta.1989@gmail.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Jul 27, 2021 at 6:54 PM Vipul Mehta <vipulmehta.1989@gmail.com> wrote:
>
> Need a clarification:
> MIT KDC will set the forwardable flag in S4U2Self ticket in following cases
> (provided account is not sensitive and not part of secure group):
> 1) ok_to_auth_as_delegate is true
> or
> 2) ok_to_auth_as_delegate is false and Service TGT has forwardable flag set
In case of 2) we'll also check that
'ServicesAllowedToSendForwardedTicketsTo' is empty like in the doc, I
was just suggesting implementation wise that we do it in the plugin
instead of the kdc itself, that is when the principal is retrieved the
plugin will add 'ok_to_auth_as_delegate' if the
'ServicesAllowedToSendForwardedTicketsTo' is empty.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
