[31134] in Kerberos
Re: ok_as_delegation status
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon May 18 13:13:39 2009
From: Greg Hudson <ghudson@mit.edu>
To: Kronus David <kronda@atlas.cz>
In-Reply-To: <6b1ea5c5c7ad4991844f741b050663db@40873c88860d488b9d1be3f0127ba1bb>
Date: Mon, 18 May 2009 13:13:22 -0400
Message-Id: <1242666802.4146.32.camel@ray>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
kadmin support for ok_as_delegate has been added on the trunk but is not
currently scheduled to go into 1.7, as the cutoff for new features was a
while ago. That could probably change if we find conclusive evidence
that ok_as_delegate support is more important than we thought.
However, I think your problem may not be related to the ok_as_delegate
flag. http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
symptoms and is a totally different bug, which will be fixed in 1.7.
(The relevant version in this case is the Kerberos code running on your
Apache HTTPD server.)
http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html
suggests that you might be able to work around the problem by using
mod_auth_kerb's SPNEGO code instead of MIT krb5's. I don't know if
that's still possible two years later.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
