Delegated creds and SPNEGO
Luke Howard
lukeh at padl.com
Wed Aug 26 13:09:17 EDT 2009
There was a bug a while ago (looks like 319351 at Red Hat, not sure
about the MIT RT number) regarding delegated creds and SPNEGO.
It was fixed by changing gssint_get_mechanism_cred() in the mechglue
to not unwrap SPNEGO credentials. However, this changes the behaviour
of everything that calls gssint_get_mechanism_cred(). It means that
using gss_acquire_cred() for SPNEGO credentials returns
GSS_S_DUPLICATE_ELEMENT.
Sun fixed the same issue explicitly in the delegated credentials path
(it is also a workaround, but it did have the advantage of not being a
special case for SPNEGO).
So, I'm wondering: was this fixed correctly? Is the expectation that,
when using pseudo-mechanisms, you will acquire credentials for the
pseudo-mechanism or for the concrete mechanism? If it's the former,
well, it doesn't work right now. I ask because it impacts some other
work.
-- Luke
--
www.padl.com | www.fghr.net
More information about the krbdev
mailing list