Not getting delegation credential from gss_accept_sec_context()

[Xie, Hugh]

Hi,

I am having trouble with S4U2Proxy. Looking into *accept_sec_context.c*, it has :
* if (delegated_cred_handle != NULL &&
        deleg_cred == NULL && /* no unconstrained delegation */
        cred->usage == GSS_C_BOTH &&
        (ticket->enc_part2->flags & TKT_FLG_FORWARDABLE)) {
        /*
         * Now, we always fabricate a delegated credentials handle
         * containing the service ticket to ourselves, which can be
         * used for S4U2Proxy.
         */
        major_status = create_constrained_deleg_creds(minor_status, cred,
                                                      ticket, &deleg_cred,
                                                      context);
        if (GSS_ERROR(major_status))
            goto fail;
        ctx->gss_flags |= GSS_C_DELEG_FLAG;
    }
*

I created some printf to check verifier_cred_handle I passed into *gss_accept_sec_context()* are set back to GSS_C_NO_CREDENTIAL once it reach kg_accept_krb5(). That in turn cause one of the condition * cred->usage == GSS_C_BOTH * to be false. I definite verified verifier_cred_handle before I called gss_accept_sec_context(). And it is coming from a call:
*
        maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, GSS_C_INDEFINITE,
                                    GSS_C_NO_OID_SET, GSS_C_BOTH, &state->server_creds, NULL, NULL);
*
So my assumption cred->usage flag should be GSS_C_BOTH.

Anyway, please let me know I can debug this issue.

Thanks.

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.