[28134] in Kerberos

home help back first fref pref prev next nref lref last post

Re: [modauthkerb] Negotiate on Windows with cross-realm trust ADand

daemon@ATHENA.MIT.EDU (Achim Grolms)
Fri Jul 27 17:59:37 2007

From: Achim Grolms <achim@grolmsnet.de>
To: mikkel@linet.dk
Date: Fri, 27 Jul 2007 20:19:58 +0200
In-Reply-To: <1185520446.2958.3.camel@tux.lib.cbs.dk>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200707272020.01184.achim@grolmsnet.de>
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>,
   "Douglas E. Engert" <deengert@anl.gov>,
   modauthkerb-help@lists.sourceforge.net, kerberos@mit.edu
Reply-To: achim@grolmsnet.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Friday 27 July 2007 09:14, Mikkel Kruse Johnsen wrote:

> After the patch (attached) I get this.

I think your patch does my idea wrong.

Your patch checks

major_status == GSS_S_COMPLETE

but in your patch  major_status is the return-value of gss_display_name(),
not of accept_sec_token.

You need to store the return-value of accept_sec_token
in a 2nd variable, "major_status_accept" for example
and check 

major_status_accept == GSS_S_COMPLETE
(or move the delegation-store-code direct below the
accept_sec_token() so major_status really holds the value
of accept_sec_token.

Maybe the client tries to to mutual authentication and the
TGT is only delegated *after* the mutual-auth-roundrip has finished?

Achim
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post