On 11/06/2015 07:05 AM, Stefan Dietiker wrote: > - Is there really a dependency, that krb5-libs must support RBKCD > (Resource based Kerberos constrained delegation)?
Looking at the latest [MS-S4U] document, it appears so. The intermediate server must include a PA-PAC-OPTIONS pa-data element containing the resource-based constrained delegation bit, and it must be prepared to follow referrals in the KDC response. > - Does krb5-libs support RBKCD? No. It's possible that we already follow referrals (this would have to be tested), but we definitely don't include PA-PAC-OPTIONS with our S4U2Proxy requests. > - If not now, are there any plans to support that? I don't have a timeline to offer. We'd of course be happy to accept tested patches to support this after review. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
