[20024] in Kerberos_V5_Development
Re: [kitten] Checking the transited list of a kerberos ticket in a
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Fri Feb 7 07:26:41 2020
MIME-Version: 1.0
In-Reply-To: <20191122224526.GA28614@localhost>
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 7 Feb 2020 13:26:14 +0100
Message-ID: <CAC-fF8S=yxgx5qL5ZwFocij_DzsHPBzf8LcZACo9HVF5DDSxLA@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Samba Technical <samba-technical@lists.samba.org>,
"heimdal-discuss@sics.se" <heimdal-discuss@sics.se>,
"krbdev@mit.edu Dev List" <krbdev@mit.edu>, kitten@ietf.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi,
On Fri, Nov 22, 2019 at 11:45 PM Nico Williams <nico@cryptonector.com> wrote:
>
> On Fri, Nov 22, 2019 at 11:24:44AM +0100, Stefan Metzmacher wrote:
> > > Correspondingly and symmetrically, the right way to request some
> > > behavior on the side where the credential is available, is to associate
> > > that request with the desired_name for which the credential is acquired.
> >
> > So you mean we need to pass an explicit desired_name to
> > gss_acquire_cred_from() and use gss_set_name_attribute() calls
> > (for no_transit_check and iterate_acceptor_keytab) on that desired_name
> > before?
>
> Oh, wait, right. That's not going to work when you want a default
> credential.
Maybe the name-attributes can be made complementary to the proposed
credential-options, if a service wishes to inquire this info.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
