[28123] in Kerberos
Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand
daemon@ATHENA.MIT.EDU (Achim Grolms)
Thu Jul 26 16:52:12 2007
From: Achim Grolms <achim@grolmsnet.de>
To: "Douglas E. Engert" <deengert@anl.gov>,
"Henry B. Hotz" <hotz@jpl.nasa.gov>, Mikkel Kruse Johnsen <mikkel@linet.dk>
Date: Thu, 26 Jul 2007 22:38:09 +0200
In-Reply-To: <46A8FC0E.4080600@anl.gov>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200707262238.12048.achim@grolmsnet.de>
Cc: modauthkerb-help@lists.sourceforge.net, kerberos@mit.edu
Reply-To: achim@grolmsnet.de
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
> Achim Grolms wrote:
> > On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
> >>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
> >>> would not be set in that case?
> >>>
> >>> Achim
> >>
> >> Agreed. That flag shouldn't be set AFAIK, though the value isn't
> >> valid until negotiation is complete.
> >
> > That means before trying to store delegated credentials
> > and before checking GSS_C_DELEG_FLAG
> > mod_auth_kerb needs to check if gss_accept_sec_context ()
> > returns major_status = GSS_S_COMPLETE
>From my point of view this means that mod_auth_kerb
needs a change in code.
I needs to be of that style:
the major_status of
gss_accept_sec_context()
needs to be checked before checking GSS_C_DELEG_FLAG.
This can be done this way:
if ( major_status_accept = GSS_S_COMPLETE ) {
if (conf->krb_save_credentials) {
if (delegated_cred != GSS_C_NO_CREDENTIAL) {
.
.
.
}
}
}
major_status_accept is the major_status returned by
accept_sec_token
Mikkel, can you give this a try?
Achim
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos