ok_as_delegation status
Greg Hudson
ghudson at MIT.EDU
Mon May 18 13:13:22 EDT 2009
kadmin support for ok_as_delegate has been added on the trunk but is not
currently scheduled to go into 1.7, as the cutoff for new features was a
while ago. That could probably change if we find conclusive evidence
that ok_as_delegate support is more important than we thought.
However, I think your problem may not be related to the ok_as_delegate
flag. http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your
symptoms and is a totally different bug, which will be fixed in 1.7.
(The relevant version in this case is the Kerberos code running on your
Apache HTTPD server.)
http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html
suggests that you might be able to work around the problem by using
mod_auth_kerb's SPNEGO code instead of MIT krb5's. I don't know if
that's still possible two years later.
More information about the Kerberos
mailing list