[31141] in Kerberos
Re: ok_as_delegation status
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue May 19 11:12:44 2009
From: Greg Hudson <ghudson@mit.edu>
To: mikkel@linet.dk
In-Reply-To: <1242716135.2652.5.camel@localhost.localdomain>
Date: Tue, 19 May 2009 11:11:45 -0400
Message-Id: <1242745905.4146.72.camel@ray>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
A correction: ok_as_delegate kadmin support will be in MIT krb5 1.7,contrary to what I wrote previously.
On Tue, 2009-05-19 at 08:55 +0200, Mikkel Kruse Johnsen wrote:> Hi Kronus> > You definitely have to use mod_auth_kerb's internal SPNEGO to get it> to work. I spent a lot of time realizing that.> > the "ok_as_delegate" flag is not in kerberos, but it is a very simple> patch. See attacthment.> > Med Venlig Hilsen / Kind Regards> > > > > Mikkel Kruse> Johnsen> Adm.Dir.> > Linet> Ørholmgade 6 st> tv> Copenhagen N 2200> Denmark> > Work: +45> 21287793> Mobile: +45> 21287793> Email:> mikkel@linet.dk> IM:> mikkel@linet.dk> (MSN)> Professional> Profile> Healthcare > > > Network> Consultant > > > man, 18 05 2009 kl. 13:13 -0400, skrev Greg Hudson: > > kadmin support for ok_as_delegate has been added on the trunk but is not> > currently scheduled to go into 1.7, as the cutoff for new features was a> > while ago. That could probably change if we find conclusive evidence> > that ok_as_delegate support is more important than we thought.> > > > However, I think your problem may not be related to the ok_as_delegate> > flag. http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your> > symptoms and is a totally different bug, which will be fixed in 1.7.> > (The relevant version in this case is the Kerberos code running on your> > Apache HTTPD server.)> > > > http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html> > suggests that you might be able to work around the problem by using> > mod_auth_kerb's SPNEGO code instead of MIT krb5's. I don't know if> > that's still possible two years later.> > > > > > ________________________________________________> > Kerberos mailing list Kerberos@mit.edu> > https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
