Nothing wrong with what you suggest, but in theory the conf-
>krb_save_credentials value doesn't need to be checked.
In practice, who knows? Lots of bugs out there.
On Jul 26, 2007, at 1:38 PM, Achim Grolms wrote:
> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
>> Achim Grolms wrote:
>>> On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
>>>>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
>>>>> would not be set in that case?
>>>>>
>>>>> Achim
>>>>
>>>> Agreed. That flag shouldn't be set AFAIK, though the value isn't
>>>> valid until negotiation is complete.
>>>
>>> That means before trying to store delegated credentials
>>> and before checking GSS_C_DELEG_FLAG
>>> mod_auth_kerb needs to check if gss_accept_sec_context ()
>>> returns major_status = GSS_S_COMPLETE
>
> From my point of view this means that mod_auth_kerb
> needs a change in code.
> I needs to be of that style:
>
> the major_status of
> gss_accept_sec_context()
>
> needs to be checked before checking GSS_C_DELEG_FLAG.
>
> This can be done this way:
>
> if ( major_status_accept = GSS_S_COMPLETE ) {
> if (conf->krb_save_credentials) {
> if (delegated_cred != GSS_C_NO_CREDENTIAL) {
> .
> .
> .
> }
> }
> }
>
>
> major_status_accept is the major_status returned by
> accept_sec_token
>
> Mikkel, can you give this a try?
> Achim
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
