Why doesn't krb5_get_credentials_for_user return an error even if the ticket received is not FORWARDABLE?

Weijun Wang weijun.wang at oracle.com
Tue Jul 10 23:48:47 EDT 2012


Hi Luke

If a service principal does not have the ok_to_auth_as_delegate 
attribute, the ticket replied to an S4U2self request will not have the 
FORWARDABLE flag, and when this ticket is used in a S4U2proxy request, 
there will be an error:

   Requesting ticket can't get forwardable tickets s2 at K1: constrained 
delegation failed

My question is: is this ticket useful for any other purpose? If not, why 
doesn't krb5_get_credentials_for_user return an error at the beginning?

Thanks
Weijun



More information about the Kerberos mailing list