Constrained Delegation incurs high rate of TGS exchange

Isaac Boukris iboukris at gmail.com
Sun Dec 27 22:57:04 EST 2015


Hi again,

On Sat, Dec 26, 2015 at 3:47 AM, Isaac Boukris <iboukris at gmail.com> wrote:
> Hello,
>
> I'm trying to use gss_acquire_cred_impersonate_name() followed by
> gss_store_cred_into() to store impersonated creds into a ccache which
> I later use for calling gss_init_sec_context() on behalf of the user.
>
> This works fine (against w2k3) but it seems that each call to
> gss_init_sec_context() incurs a new TGS exchange (on wire) and
> subsequently 'klist' shows additional entries although the target
> server is the same.
> This doesn't happen when I use regular 'kinit' to initialize the
> ccache (rather the first TGS seems to be reused).
>
> I was wondering if this is expected in constrained-delegation scenario
> or whether I might be doing something wrong (tested with 1.12.2 and
> 1.14-pre).


I think I found the bug in 'init_sec_context', when we have
impersonator credentials we don't check first if we have cached
credentials.
Please have a look at PR #381 - it fixes it for me (no high rate of
TGS exchange and no duplicate entries in ccache).

Thanks a lot!


More information about the Kerberos mailing list