Given we support s4u2proxy and might want to use it to let the framework access a trusted domain, it is appropriate to add delegation info to the MS-PAC as that data is how AD keeps track of delegations and can apply (restrictive) policy if needed.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=915799
Moving unfinished March tickets to April milestone.
As agreed with Alexander, turning this ticket into an enhancement.
Simo's initial patch for this feature 0001-Add-Delegation-Info-to-MS-PAC.patch
We probably won't be able to deliver this feature for 7.0, moving to Triage to let us decide.
It is a part of the OTP work. It is not a RHEL7 target but it should stay where it was and picked by Nathaniel when he can. It it does not fit. It should be automatically pushed to the next upstream milestone. It would be really great if some aspects of this functionality would be ready for the OTP test day in June.
I should clarify, next round of changing authorization data in the Kerberos ticket would be done in the context of the OTP work. It is unclear though that this specific aspect would be in scope or not (now when I read the ticket more closely). It might make sense to group authorization data tickets together.
Moving open tickets to next month bucket.
3.3 development is finishing, this patch is not required for this release, moving to the next one.
3.4 development was shifted for one month, moving tickets to reflect reality better.
master: 5157fd4
Metadata Update from @simo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 4.0 - 2013/10
Login to comment on this ticket.