On Tue, Jul 27, 2021 at 6:54 PM Vipul Mehta <vipulmehta.1...@gmail.com> wrote: > > Need a clarification: > MIT KDC will set the forwardable flag in S4U2Self ticket in following cases > (provided account is not sensitive and not part of secure group): > 1) ok_to_auth_as_delegate is true > or > 2) ok_to_auth_as_delegate is false and Service TGT has forwardable flag set
In case of 2) we'll also check that 'ServicesAllowedToSendForwardedTicketsTo' is empty like in the doc, I was just suggesting implementation wise that we do it in the plugin instead of the kdc itself, that is when the principal is retrieved the plugin will add 'ok_to_auth_as_delegate' if the 'ServicesAllowedToSendForwardedTicketsTo' is empty. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
