[28121] in Kerberos

home help back first fref pref prev next nref lref last post

Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand

daemon@ATHENA.MIT.EDU (Achim Grolms)
Thu Jul 26 16:51:50 2007

From: Achim Grolms <achim@grolmsnet.de>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 26 Jul 2007 20:56:59 +0200
In-Reply-To: <FC9A39B2-B4D1-4CD1-AF82-9537343398DE@jpl.nasa.gov>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200707262057.02222.achim@grolmsnet.de>
Cc: kerberos@mit.edu, modauthkerb-help@lists.sourceforge.net,
   "Douglas E. Engert" <deengert@anl.gov>
Reply-To: achim@grolmsnet.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:

> > If I understand RFC2744 correct GSS_C_DELEG_FLAG
> > would not be set in that case?
> >
> > Achim
>
> Agreed.  That flag shouldn't be set AFAIK, though the value isn't
> valid until negotiation is complete.

That means before trying to store delegated credentials
and before checking GSS_C_DELEG_FLAG
mod_auth_kerb needs to check if gss_accept_sec_context ()
returns   major_status = GSS_S_COMPLETE
(checking GSS_ERROR(major_status) does match other non-error states
of major_status)?

Achim
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post