[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Henry B. Hotz hotz at jpl.nasa.gov
Thu Jul 26 14:40:57 EDT 2007


On Jul 26, 2007, at 11:28 AM, Achim Grolms wrote:

> On Thursday 26 July 2007 20:16, Douglas E. Engert wrote:
>> Achim Grolms wrote:
>
>>> From my point of view that means we can exclude the item
>>> "Client sends nothing as delegated credeatials" because from
>>> my point of view the logging means *something* is received.
>>
>> No, the  trace showed that the client obtained a TGT to forward,
>> but did not forward it.
>>
>>    reqFlags: 02
>>      0... .... = delegFlag:False
>
> OK, got it.
>
> But I do not understand why on mod_auth_kerb side
> gss_accept_sec_context () sets the GSS_C_DELEG_FLAG
> of ret_flags.
>
> If I understand RFC2744 correct GSS_C_DELEG_FLAG
> would not be set in that case?
>
> Achim

Agreed.  That flag shouldn't be set AFAIK, though the value isn't  
valid until negotiation is complete.
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu





More information about the Kerberos mailing list