Hi,
It seems there is a bug in MIT kerberos gss source code where the
delegation state is set in context flags on acceptor side.
I am using a keytab on server side to acquire credentials with in memory
credential cache : *cred->usage == GSS_C_BOTH*
Client has *delegation flag set to false* but ha
On 05/17/2013 07:33 AM, Vipul Mehta wrote:
> So, for case B, the above if() condition will be true and it will set the
> context delegation flag to true on acceptor side though delegation flag is
> false on initiator side.
This is how our constrained delegation (S4U2Proxy) support works. I
don't
On 05/17/2013 10:56 AM, Vipul Mehta wrote:
> So, on acceptor side, how do i know that initiator has delegated the
> credentials if i can't rely on context delegation flag ?
The GSSAPI doesn't distinguish between different kinds of credential
delegation. But if you use GSS_C_ACCEPT rather than GSS
So, on acceptor side, how do i know that initiator has delegated the
credentials if i can't rely on context delegation flag ?
What about the java implementation of GSS ? Looks like there it works fine.
On Fri, May 17, 2013 at 7:18 PM, Greg Hudson wrote:
> On 05/17/2013 07:33 AM, Vipul Mehta wro
On Fri, May 17, 2013 at 8:31 PM, Greg Hudson wrote:
> The GSSAPI doesn't distinguish between different kinds of credential
> delegation. But if you use GSS_C_ACCEPT rather than GSS_C_BOTH acceptor
> credentials, then constrained delegation won't be used, and you will be
> able to tell whether tr
One more question, what is the exact use of context delegation flag if it
doesn't need to be same on initiator and acceptor side.
On Fri, May 17, 2013 at 9:54 PM, Vipul Mehta wrote:
> On Fri, May 17, 2013 at 8:31 PM, Greg Hudson wrote:
>
>> The GSSAPI doesn't distinguish between different kinds
On Mon, May 20, 2013 at 5:20 AM, Vipul Mehta wrote:
> One more question, what is the exact use of context delegation flag if it
> doesn't need to be same on initiator and acceptor side.
The initiator gets to ask for credential delegation.
The acceptor gets to receive delegated credentials.
The
