[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GSSAPI with Constrained Delegation

To: <heimdal-discuss@sics.se>
Subject: GSSAPI with Constrained Delegation
From: "Zeqing (Fred) Xia" <fxia@juniper.net>
Date: Sat, 3 Nov 2007 20:57:39 -0700
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, "Zeqing (Fred) Xia" <fxia@juniper.net>
Thread-Index: AcgeltfLb1n23OAFTPOJV7WHibaJsg==
Thread-Topic: GSSAPI with Constrained Delegation


I found that the GSSAPI portion is not friendly with Constrained Delegation. The problem is in acquire_cred.c where __gsskrb5_ccache_lifetime() always uses KRB5_TGS_NAME to make a principal to get credentials. In CD there is no such credential for the delegated account, hence it fails to acquire a GSSAPI credential.

I hacked the code to make it working for my particular situation. But I wonder if there is another way to do this? Or some change in GSSAPI is needed to not start from KRB5_TGS_NAME for credential acquisition?

Thanks.



Fred

Prev by Date: Re: Question about using plugin to resolve kdc host
Next by Date: RE: Question about using plugin to resolve kdc host
Prev by thread: RE: Question about using plugin to resolve kdc host
Next by thread: No Subject
Index(es):
- Date
- Thread