[modauthkerb] Negotiate on Windows with cross-realm trust ADand MIT Kereros.

Henry B. Hotz hotz at jpl.nasa.gov
Thu Jul 26 20:09:20 EDT 2007


Nothing wrong with what you suggest, but in theory the conf- 
 >krb_save_credentials value doesn't need to be checked.

In practice, who knows?  Lots of bugs out there.

On Jul 26, 2007, at 1:38 PM, Achim Grolms wrote:

> On Thursday 26 July 2007 21:54, Douglas E. Engert wrote:
>> Achim Grolms wrote:
>>> On Thursday 26 July 2007 20:40, Henry B. Hotz wrote:
>>>>> If I understand RFC2744 correct GSS_C_DELEG_FLAG
>>>>> would not be set in that case?
>>>>>
>>>>> Achim
>>>>
>>>> Agreed.  That flag shouldn't be set AFAIK, though the value isn't
>>>> valid until negotiation is complete.
>>>
>>> That means before trying to store delegated credentials
>>> and before checking GSS_C_DELEG_FLAG
>>> mod_auth_kerb needs to check if gss_accept_sec_context ()
>>> returns   major_status = GSS_S_COMPLETE
>
> From my point of view this means that mod_auth_kerb
> needs a change in code.
> I needs to be of that style:
>
> the major_status of
> gss_accept_sec_context()
>
> needs to be checked before checking GSS_C_DELEG_FLAG.
>
> This can be done this way:
>
> if ( major_status_accept = GSS_S_COMPLETE ) {
>     if (conf->krb_save_credentials) {
>         if (delegated_cred != GSS_C_NO_CREDENTIAL) {
>              .
>              .
>              .
>         }
>      }
> }
>
>
> major_status_accept is the major_status returned by
> accept_sec_token
>
> Mikkel, can you give this a try?
> Achim

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu





More information about the Kerberos mailing list