[28118] in Kerberos

home help back first fref pref prev next nref lref last post

Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand

daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Jul 26 15:54:53 2007

Message-ID: <46A8FC0E.4080600@anl.gov>
Date: Thu, 26 Jul 2007 14:54:54 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: achim@grolmsnet.de
In-Reply-To: <200707262057.02222.achim@grolmsnet.de>
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>,
   modauthkerb-help@lists.sourceforge.net, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu



Achim Grolms wrote:
> On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
> 
>>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
>>> would not be set in that case?
>>>
>>> Achim
>> Agreed.  That flag shouldn't be set AFAIK, though the value isn't
>> valid until negotiation is complete.
> 
> That means before trying to store delegated credentials
> and before checking GSS_C_DELEG_FLAG
> mod_auth_kerb needs to check if gss_accept_sec_context ()
> returns   major_status = GSS_S_COMPLETE

Correct.

> (checking GSS_ERROR(major_status) does match other non-error states
> of major_status)?

Yes that is a macro to mask out the error bits s they can be tested.

> 
> Achim
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post