Kerberos Constrained Delegation in libsmbclient
ab at samba.org
Tue Mar 2 12:54:21 UTC 2021
On ti, 02 maalis 2021, Vikram Bharti via samba-technical wrote:
> Any further help would be appreciated.
As far as I can see, libsmbclient internally uses credentials API which
means it already should support constraint delegation.
I am not using libsmbclient for this use case myself but in FreeIPA we
are relying on Samba Python bindings for constraint delegation-based
access to LSA RPC and we have no problem with credentials API.
> On Thu, Feb 25, 2021 at 5:28 PM Vikram Bharti <vikrambharti33 at gmail.com>
> > IMO KCD can take service user, password/keytab-file, UPN of impersonation
> > user, and SPN of service as inputs (probably in auth_callback)
> > or it can take final service ticket (TGS-REP) as input in auth_callback.
> > Not so sure what should be right the way but I leave it up to you decide if
> > these 2 are feasible or if there is a better way.
> > On Thu, Feb 25, 2021 at 12:00 AM Jeremy Allison <jra at samba.org> wrote:
> >> On Wed, Feb 24, 2021 at 05:29:37PM +0530, Vikram Bharti via
> >> samba-technical wrote:
> >> >Hi ,
> >> >
> >> >I was exploring a way to get KCD work with libsmbclient APIs and i see
> >> >libsmbclient supports Kerberos auth but can't find any API for
> >> >impersonation and delegation.
> >> >Pls let me know if there is a way to get it done.
> >> No, this is not currently available in the libsmbclient API's.
> >> Can you give an example of what you'd like this to look like,
> >> so we can assess how hard it would be to implement ?
/ Alexander Bokovoy
More information about the samba-technical