Why doesn't krb5_get_credentials_for_user return an error even if the ticket received is not FORWARDABLE?
Weijun Wang
weijun.wang at oracle.com
Tue Jul 10 23:48:47 EDT 2012
Hi Luke
If a service principal does not have the ok_to_auth_as_delegate
attribute, the ticket replied to an S4U2self request will not have the
FORWARDABLE flag, and when this ticket is used in a S4U2proxy request,
there will be an error:
Requesting ticket can't get forwardable tickets s2 at K1: constrained
delegation failed
My question is: is this ticket useful for any other purpose? If not, why
doesn't krb5_get_credentials_for_user return an error at the beginning?
Thanks
Weijun
More information about the Kerberos
mailing list