Ken Raeburn raeburn at MIT.EDU
Wed May 7 11:45:51 EDT 2008

On May 7, 2008, at 02:27, josephharfouch at iinet.net.au wrote:
> Does the MIT kerberos source code set the OK-AS-DELEGATE flag
> and if yes, then under what circumstances?

No.  Our code will display the flag in "klist" output, but has no  
support for setting it at present.

> I am conducting a cross platform test where the gss client and  
> server are using the
> z/OS Kerberos implementation, but the KDC is using the MIT  
> implementation. The test
> case fails, unless I tell the z/OS kerberos implementation code to  
> ignore the
> delegate check test. (We have a check_delegate flag that is turned  
> on by default,
> but
> we can turn it off in krb5.conf), so I am wondering if turning off  
> the check is the
> best way to proceed.

It certainly sounds like the easiest way to proceed.  Modifying the  
MIT code to set the flag (perhaps controlled by policies, perhaps only  
by per-principal flags? needs some thought) would be more work, but  
would let you retain the check.


More information about the krbdev mailing list