ok_as_delegation status

Greg Hudson ghudson at MIT.EDU
Mon May 18 13:13:22 EDT 2009

kadmin support for ok_as_delegate has been added on the trunk but is not
currently scheduled to go into 1.7, as the cutoff for new features was a
while ago.  That could probably change if we find conclusive evidence
that ok_as_delegate support is more important than we thought.

However, I think your problem may not be related to the ok_as_delegate
flag.  http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
symptoms and is a totally different bug, which will be fixed in 1.7.
(The relevant version in this case is the Kerberos code running on your
Apache HTTPD server.)

suggests that you might be able to work around the problem by using
mod_auth_kerb's SPNEGO code instead of MIT krb5's.  I don't know if
that's still possible two years later.

More information about the Kerberos mailing list