Russ Allbery <[email protected]> writes: > Note that S4U2proxy isn't supported until MIT Kerberos 1.8 and I'm not > sure the status of support in Heimdal. I'm also not sure exactly how > you configure the KDC-side ACLs (the equivalent of WebAuth's token.acl).
Ah, it looks like for MIT Kerberos you can only use S4U2proxy if you're using the LDAP backend to store your KDC, since only LDAP has the appropriate attributes to store the ACL. That means it's probably premature to rely on S4U2proxy to be available, since I'm fairly sure most sites are not using LDAP. I can't find any information in the Heimdal documentation on how it handles the ACL. -- Russ Allbery <[email protected]> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
