Hi, I am having trouble with S4U2Proxy. Looking into *accept_sec_context.c*, it has : * if (delegated_cred_handle != NULL && deleg_cred == NULL && /* no unconstrained delegation */ cred->usage == GSS_C_BOTH && (ticket->enc_part2->flags & TKT_FLG_FORWARDABLE)) { /* * Now, we always fabricate a delegated credentials handle * containing the service ticket to ourselves, which can be * used for S4U2Proxy. */ major_status = create_constrained_deleg_creds(minor_status, cred, ticket, &deleg_cred, context); if (GSS_ERROR(major_status)) goto fail; ctx->gss_flags |= GSS_C_DELEG_FLAG; } *
I created some printf to check verifier_cred_handle I passed into *gss_accept_sec_context()* are set back to GSS_C_NO_CREDENTIAL once it reach kg_accept_krb5(). That in turn cause one of the condition * cred->usage == GSS_C_BOTH * to be false. I definite verified verifier_cred_handle before I called gss_accept_sec_context(). And it is coming from a call: * maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_BOTH, &state->server_creds, NULL, NULL); * So my assumption cred->usage flag should be GSS_C_BOTH. Anyway, please let me know I can debug this issue. Thanks. ---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos