[20106] in Kerberos_V5_Development
Re: Alternative proxy-creds API for constrained-delegation
daemon@ATHENA.MIT.EDU (Nico Williams)
Tue Jun 2 23:31:03 2020
Date: Tue, 2 Jun 2020 22:30:47 -0500
From: Nico Williams <nico@cryptonector.com>
To: Isaac Boukris <iboukris@gmail.com>
Message-ID: <20200603033046.GV7856@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAC-fF8SwWEaYzskaDST0x-DtasOttuNxTygyLnQ9umvJi9wf6g@mail.gmail.com>
Cc: Simo Sorce <simo@redhat.com>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
heimdal-discuss@heimdal.software
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, Jun 03, 2020 at 01:29:23AM +0200, Isaac Boukris wrote:
> On Wed, Jun 3, 2020 at 12:05 AM Nico Williams <nico@cryptonector.com> wrote:
> > On Tue, Jun 02, 2020 at 08:35:14PM +0200, Isaac Boukris wrote:
> > > I'd still love to see an application signal for the service ticket
> > > using a cred option or name attribute, more likely to help in samba.
> >
> > What exactly would the option specify? I'm certain we can fit it in one
> > of three different ways though.
>
> It could specify the delegation-policy for this creds/context for
> example, or we can make the ticket always available via
> name-attributes like Simo suggested, but that would be somewhat
> unrelated work.
So you're saying you want to be able to say "only accept traditional
delegated credentials, don't do S4U2Proxy" and also be able to say
"either is fine"? And configuration is not enough? Anyways, my
preference for that is to use gss_acquire_cred_from().
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
