Simo Sorce <s...@redhat.com> writes: > It is a very nice to have, but, it would be really nice if you did not > use unbounded delegation (ie send the whole TGT) but ratherr allow to > either just send a ticket (set of tickets) for whatever action may be > neded, and/or support constrained delegation on the receiving end > (s4u2proxy).
s4u2proxy feels like the right tool to me. I don't like the idea of unconstrained delegation, and constrained delegation where the client sends a specific ticket requires the client know what ticket to send. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
