[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GSSAPI with Constrained Delegation

I found that the GSSAPI portion is not friendly with Constrained Delegation. The problem is in acquire_cred.c where __gsskrb5_ccache_lifetime() always uses KRB5_TGS_NAME to make a principal to get credentials. In CD there is no such credential for the delegated account, hence it fails to acquire a GSSAPI credential.

I hacked the code to make it working for my particular situation. But I wonder if there is another way to do this? Or some change in GSSAPI is needed to not start from KRB5_TGS_NAME for credential acquisition?