Douglas E. Engert deengert at anl.gov
Wed May 7 12:22:05 EDT 2008

Ken Raeburn wrote:
> On May 7, 2008, at 02:27, josephharfouch at iinet.net.au wrote:
>> Does the MIT kerberos source code set the OK-AS-DELEGATE flag
>> and if yes, then under what circumstances?
> No.  Our code will display the flag in "klist" output, but has no  
> support for setting it at present.
>> I am conducting a cross platform test where the gss client and  
>> server are using the
>> z/OS Kerberos implementation, but the KDC is using the MIT  
>> implementation. The test
>> case fails, unless I tell the z/OS kerberos implementation code to  
>> ignore the
>> delegate check test. (We have a check_delegate flag that is turned  
>> on by default,
>> but
>> we can turn it off in krb5.conf), so I am wondering if turning off  
>> the check is the
>> best way to proceed.
> It certainly sounds like the easiest way to proceed.  Modifying the  
> MIT code to set the flag (perhaps controlled by policies, perhaps only  
> by per-principal flags? needs some thought) would be more work, but  
> would let you retain the check.

If I recall, there was a request from one of the other Labs to have
MIT clients check for the flag being set, much like a  Windows SSPI
client does before delegating. So it might be a good feature to allow
the KDC set the flag based on per-server flags.   As it allows a
client to authenticate to a semi-trusted server, but not delegate
to it. Gives the realm admin some control over what machines are
trusted with delegated credentials.

FireFox or other browsers using SPNEGO may also check the flag,
they probably don't today but they may in the future.

On Windows the ksetup /setRealmFlags Delegate can override the test
for non-Windows realms.

> Ken
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list