[krbdev.mit.edu #6473] strip ok-as-delegate if not in cross-realm TGT chain
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Tue Apr 21 15:34:09 EDT 2009
>>>>> "Tom" == Tom Yu via RT <rt-comment at krbdev.mit.edu> writes:
Tom> The existing implementation of GSS_C_DELEG_POLICY_FLAG does
Tom> not examine cross-realm tickets leading to the service
Tom> ticket. Implement Heimdal's solution of stripping
Tom> ok-as-delegate flags inside get_creds if an intervening
Tom> cross-realm TGT lacks it.
I think this is definitely a good long-term solution.
More information about the krb5-bugs
mailing list