#5444 [RFE] Support Resource based kerberos constrained delegation
Opened 6 years ago by simo. Modified 2 years ago

RBKCD is a new delegation model in Windows AD 2012 that allows cross-forest s4u2proxy to work.
It depends on a new option in the MS-PAC being set.
Documented in:
http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-SFU%5D.pdf
in paragraph 2.2.5


Metadata Update from @simo:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.5 backlog

5 years ago

This article discusses the implementation & benefits of the new "resource based constrained delegation" of Windows AD 2012:
http://windowsitpro.com/security/how-windows-server-2012-eases-pain-kerberos-constrained-delegation-part-1

Are there currently plans to implement this in freeipa?

It seems Resource Based Constrained Delegation has now been implemented in upstream mit kerberos: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8479

Yes, it is part of 1.18 release. We need to design quite a bit of things on FreeIPA side before working on this:

  • how to store the access controls for RBCD in LDAP
  • how to manage them from API, CLI, and Web UI
  • what should be default settings for standard IPA services
  • etc

If you have any ideas or use cases, feel free to provide them here in comments.

Metadata Update from @abbra:
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)

2 years ago

Login to comment on this ticket.

Metadata