#5444 [RFE] Support Resource based kerberos constrained delegation
Opened 6 years ago by simo. Modified 2 years ago

RBKCD is a new delegation model in Windows AD 2012 that allows cross-forest s4u2proxy to work.
It depends on a new option in the MS-PAC being set.
Documented in:
in paragraph 2.2.5

Metadata Update from @simo:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.5 backlog

5 years ago

This article discusses the implementation & benefits of the new "resource based constrained delegation" of Windows AD 2012:

Are there currently plans to implement this in freeipa?

It seems Resource Based Constrained Delegation has now been implemented in upstream mit kerberos: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8479

Yes, it is part of 1.18 release. We need to design quite a bit of things on FreeIPA side before working on this:

  • how to store the access controls for RBCD in LDAP
  • how to manage them from API, CLI, and Web UI
  • what should be default settings for standard IPA services
  • etc

If you have any ideas or use cases, feel free to provide them here in comments.

Metadata Update from @abbra:
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)

2 years ago

Login to comment on this ticket.