Constrained Delegation incurs high rate of TGS exchange
Isaac Boukris
iboukris at gmail.com
Mon Jan 4 12:31:18 EST 2016
On Jan 4, 2016 5:33 PM, "Greg Hudson" <ghudson at mit.edu> wrote:
>
> On 12/27/2015 10:57 PM, Isaac Boukris wrote:
> >> I'm trying to use gss_acquire_cred_impersonate_name() followed by
> >> gss_store_cred_into() to store impersonated creds into a ccache which
> >> I later use for calling gss_init_sec_context() on behalf of the user.
>
> > I think I found the bug in 'init_sec_context', when we have
> > impersonator credentials we don't check first if we have cached
> > credentials.
> > Please have a look at PR #381 - it fixes it for me (no high rate of
> > TGS exchange and no duplicate entries in ccache).
>
> Thanks for the clear problem description and the pull request. It may
> take a while to get to this because of a big post-holiday work pileup,
> but it's on the radar.
Thanks for the feedback.
Note that I've tried to make the changes very local as the code flow is
pretty complicated.
I'll be glad however to make necessary adjustments or test an alternative
patch if needed.
More information about the Kerberos
mailing list