Added ok-as-delegate support to the KDC and kadmin tonight, I just realised we didn’t support it when I finally got around to writing ok-as-delegate support to GSS-API. I’m somewhat unhappy with unparse_flags() in roken, it not very future proof, unknown bits causes the world to catch on fire and it does interesting things.
The part of ok-as-delegate in the GSS-API lib was simpler to implement then what I expected, quite a low number or rows was needed, most of the infrastructure was already there thanks to compatibility option.
I’ve started to put done in words all ideas I have integrating Kerberos in Stockholms Univerity’s enviroment (sorry, in swedish). There is a need for such document to explain to our sysadmins and developers why the enviroment look likes it does. Hopefully I’ll get around to implement (or have someone else do it) them now that I know what order the diffrent part needs to be.
First out is storing cleartext-passwords in the KDC so that new enctypes can easily be added. I guess they really should be encrypted using public key encrytion, but that wont do since we need to expose them to our helpdesk. Don’t ask why, its just that way now.