OK-AS-DELEGATE FLAG setting.
Ken Raeburn
raeburn at MIT.EDU
Wed May 7 11:45:51 EDT 2008
On May 7, 2008, at 02:27, josephharfouch at iinet.net.au wrote:
> Does the MIT kerberos source code set the OK-AS-DELEGATE flag
> (TKT_FLG_OK_AS_DELEGATE),
> and if yes, then under what circumstances?
No. Our code will display the flag in "klist" output, but has no
support for setting it at present.
> I am conducting a cross platform test where the gss client and
> server are using the
> z/OS Kerberos implementation, but the KDC is using the MIT
> implementation. The test
> case fails, unless I tell the z/OS kerberos implementation code to
> ignore the
> delegate check test. (We have a check_delegate flag that is turned
> on by default,
> but
> we can turn it off in krb5.conf), so I am wondering if turning off
> the check is the
> best way to proceed.
It certainly sounds like the easiest way to proceed. Modifying the
MIT code to set the flag (perhaps controlled by policies, perhaps only
by per-principal flags? needs some thought) would be more work, but
would let you retain the check.
Ken
More information about the krbdev
mailing list