Nothing wrong with what you suggest, but in theory the conf- >krb_save_credentials value doesn't need to be checked.
In practice, who knows? Lots of bugs out there. On Jul 26, 2007, at 1:38 PM, Achim Grolms wrote: > On Thursday 26 July 2007 21:54, Douglas E. Engert wrote: >> Achim Grolms wrote: >>> On Thursday 26 July 2007 20:40, Henry B. Hotz wrote: >>>>> If I understand RFC2744 correct GSS_C_DELEG_FLAG >>>>> would not be set in that case? >>>>> >>>>> Achim >>>> >>>> Agreed. That flag shouldn't be set AFAIK, though the value isn't >>>> valid until negotiation is complete. >>> >>> That means before trying to store delegated credentials >>> and before checking GSS_C_DELEG_FLAG >>> mod_auth_kerb needs to check if gss_accept_sec_context () >>> returns major_status = GSS_S_COMPLETE > > From my point of view this means that mod_auth_kerb > needs a change in code. > I needs to be of that style: > > the major_status of > gss_accept_sec_context() > > needs to be checked before checking GSS_C_DELEG_FLAG. > > This can be done this way: > > if ( major_status_accept = GSS_S_COMPLETE ) { > if (conf->krb_save_credentials) { > if (delegated_cred != GSS_C_NO_CREDENTIAL) { > . > . > . > } > } > } > > > major_status_accept is the major_status returned by > accept_sec_token > > Mikkel, can you give this a try? > Achim ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. [EMAIL PROTECTED], or [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos