[28125] in Kerberos

home help back first fref pref prev next nref lref last post

Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand

daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Thu Jul 26 20:10:01 2007

In-Reply-To: <200707262238.12048.achim@grolmsnet.de>
Mime-Version: 1.0 (Apple Message framework v752.3)
Message-Id: <B8E7A7A2-08A8-4491-9A95-30179049CAD6@jpl.nasa.gov>
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 26 Jul 2007 17:09:20 -0700
To: Achim Grolms <achim@grolmsnet.de>
Cc: kerberos@mit.edu, modauthkerb-help@lists.sourceforge.net,
   "Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Nothing wrong with what you suggest, but in theory the conf- 
 >krb_save_credentials value doesn't need to be checked.

In practice, who knows?  Lots of bugs out there.

On Jul 26, 2007, at 1:38 PM, Achim Grolms wrote:

> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
>> Achim Grolms wrote:
>>> On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
>>>>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
>>>>> would not be set in that case?
>>>>>
>>>>> Achim
>>>>
>>>> Agreed.  That flag shouldn't be set AFAIK, though the value isn't
>>>> valid until negotiation is complete.
>>>
>>> That means before trying to store delegated credentials
>>> and before checking GSS_C_DELEG_FLAG
>>> mod_auth_kerb needs to check if gss_accept_sec_context ()
>>> returns   major_status = GSS_S_COMPLETE
>
> From my point of view this means that mod_auth_kerb
> needs a change in code.
> I needs to be of that style:
>
> the major_status of
> gss_accept_sec_context()
>
> needs to be checked before checking GSS_C_DELEG_FLAG.
>
> This can be done this way:
>
> if ( major_status_accept = GSS_S_COMPLETE ) {
>     if (conf->krb_save_credentials) {
>         if (delegated_cred != GSS_C_NO_CREDENTIAL) {
>              .
>              .
>              .
>         }
>      }
> }
>
>
> major_status_accept is the major_status returned by
> accept_sec_token
>
> Mikkel, can you give this a try?
> Achim

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post