ok_as_delegation status

Greg Hudson ghudson at MIT.EDU
Mon May 18 13:13:22 EDT 2009


kadmin support for ok_as_delegate has been added on the trunk but is not
currently scheduled to go into 1.7, as the cutoff for new features was a
while ago.  That could probably change if we find conclusive evidence
that ok_as_delegate support is more important than we thought.

However, I think your problem may not be related to the ok_as_delegate
flag.  http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
symptoms and is a totally different bug, which will be fixed in 1.7.
(The relevant version in this case is the Kerberos code running on your
Apache HTTPD server.)

http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html
suggests that you might be able to work around the problem by using
mod_auth_kerb's SPNEGO code instead of MIT krb5's.  I don't know if
that's still possible two years later.





More information about the Kerberos mailing list