Constrained Delegation incurs high rate of TGS exchange

Isaac Boukris iboukris at gmail.com
Fri Dec 25 20:47:55 EST 2015


Hello,

I'm trying to use gss_acquire_cred_impersonate_name() followed by
gss_store_cred_into() to store impersonated creds into a ccache which
I later use for calling gss_init_sec_context() on behalf of the user.

This works fine (against w2k3) but it seems that each call to
gss_init_sec_context() incurs a new TGS exchange (on wire) and
subsequently 'klist' shows additional entries although the target
server is the same.
This doesn't happen when I use regular 'kinit' to initialize the
ccache (rather the first TGS seems to be reused).

I was wondering if this is expected in constrained-delegation scenario
or whether I might be doing something wrong (tested with 1.12.2 and
1.14-pre).

Thank you,
Isaac Boukris


More information about the Kerberos mailing list