[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    [cifs-protocol] MS-PAC: Constrained Delegation Information
From:       Andreas Schneider via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date:       2021-11-29 9:15:34
Message-ID: 9173199.8Y716B6ETW () magrathea
[Download RAW message or body]

Hello dochelp,

I have some requests for clarification for:

=== snip ===

2.9 Constrained Delegation Information

The S4U_DELEGATION_INFO structure lists the services that have been delegated 
through this Kerberos client and subsequent services or servers. The list is 
used only in a Service for User to Proxy (S4U2proxy) [MS-SFU] request. This 
feature could be used multiple times in succession from service to service, 
which is useful for auditing purposes.<18> The S4U_DELEGATION_INFO structure
is marshaled by RPC [MS-RPCE].

typedef struct _S4U_DELEGATION_INFO {
RPC_UNICODE_STRING S4U2proxyTarget;
ULONG TransitedListSize;
[size_is(TransitedListSize)] PRPC_UNICODE_STRING S4UTransitedServices;
} S4U_DELEGATION_INFO,
*PS4U_DELEGATION_INFO;

S4U2proxyTarget: An RPC_UNICODE_STRING structure that MUST contain the name of 
the principal to whom the application can forward the ticket.

TransitedListSize: MUST be the number of elements in the S4UTransitedServices 
array.

S4UTransitedServices: MUST contain the list of all services that have been 
delegated through by this client and subsequent services or servers.

=== /snip ===

The S4U2proxyTarget seems to be expected to be a service principal name (SPN) 
without the realm part (host/<servername>). Is that correct? Does the format 
matter or can it be also <servername>$.

S4UTransitedServices seems to expect a list of SPNs (<service>/
<servername>@<realm<). Does this need to be host/<servername>@<realm> or can 
it also be in the for <servername>$@<realm>?

Thank you very much for your assistance.


Best regards


	Andreas


-- 
Andreas Schneider                      asn@samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D



_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic