[cifs-protocol] MS-PAC: Constrained Delegation Information

[Andreas Schneider]

Hello dochelp,

I have some requests for clarification for:

=== snip ===

2.9 Constrained Delegation Information

The S4U_DELEGATION_INFO structure lists the services that have been delegated 
through this Kerberos client and subsequent services or servers. The list is 
used only in a Service for User to Proxy (S4U2proxy) [MS-SFU] request. This 
feature could be used multiple times in succession from service to service, 
which is useful for auditing purposes.<18> The S4U_DELEGATION_INFO structure
is marshaled by RPC [MS-RPCE].

typedef struct _S4U_DELEGATION_INFO {
RPC_UNICODE_STRING S4U2proxyTarget;
ULONG TransitedListSize;
[size_is(TransitedListSize)] PRPC_UNICODE_STRING S4UTransitedServices;
} S4U_DELEGATION_INFO,
*PS4U_DELEGATION_INFO;

S4U2proxyTarget: An RPC_UNICODE_STRING structure that MUST contain the name of 
the principal to whom the application can forward the ticket.

TransitedListSize: MUST be the number of elements in the S4UTransitedServices 
array.

S4UTransitedServices: MUST contain the list of all services that have been 
delegated through by this client and subsequent services or servers.

=== /snip ===

The S4U2proxyTarget seems to be expected to be a service principal name (SPN) 
without the realm part (host/<servername>). Is that correct? Does the format 
matter or can it be also <servername>$.

S4UTransitedServices seems to expect a list of SPNs (<service>/
<servername>@<realm<). Does this need to be host/<servername>@<realm> or can 
it also be in the for <servername>$@<realm>?

Thank you very much for your assistance.


Best regards


	Andreas


-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D