Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by krbdev.mit.edu (8.12.9) with ESMTP id l6IIxqHW018389; Wed, 18 Jul 2007 14:59:52 -0400 (EDT) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l6IIxpL7015035 for ; Wed, 18 Jul 2007 14:59:51 -0400 Received: from rapier.boston.redhat.com (rapier.boston.redhat.com [172.16.80.53]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l6IIxpqT015982 for ; Wed, 18 Jul 2007 14:59:51 -0400 Received: from rapier.boston.redhat.com (localhost.localdomain [127.0.0.1]) by rapier.boston.redhat.com (8.14.1/8.14.0) with ESMTP id l6IIxpLH017568 for ; Wed, 18 Jul 2007 14:59:51 -0400 Received: (from nalin@localhost) by rapier.boston.redhat.com (8.14.1/8.14.1/Submit) id l6IIxpC7017567 for rt-comment@krbdev.mit.edu; Wed, 18 Jul 2007 14:59:51 -0400 Date: Wed, 18 Jul 2007 14:59:51 -0400 From: Nalin Dahyabhai To: "DEEngert@anl.gov via RT" Subject: Re: [krbdev.mit.edu #5596] patch for providing a way to set the ok-as-delegate flag Message-ID: <20070718185950.GA17547@redhat.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Random-Fortune: Learn not only to find what you like, learn to like what you find. -- Anthony J. D'Angelo : The College Blue Book Organization: Red Hat, Inc. X-Department: OS Development X-Disclaimer: I am not a spokesmodel. Views expressed are my own. X-Key-ID: 78688BF5 X-Key-Fingerprint: 60BC AD87 AF51 3A00 8C99 0388 379B CE57 7868 8BF5 User-Agent: Mutt/1.5.16 (2007-06-09) RT-Send-Cc: X-RT-Original-Encoding: us-ascii Content-Length: 535 On Wed, Jul 18, 2007 at 02:01:31PM -0400, DEEngert@anl.gov via RT wrote: > It does not require the client to delegate! The Sandia mods are enforcing > a local policy that will only delegate if the KDC says the server is trusted, > and the client requests delagation, i.e. called krb5_fwd_tgt_creds() In effect > doing what Windows clients and AD do by default. Maybe I'm coming at this from the wrong direction. Is the intent to be able to disallow credential delegation in cases when the application is specifically requesting it?