Delegated creds and SPNEGO

Luke Howard lukeh at
Wed Aug 26 13:09:17 EDT 2009

There was a bug a while ago (looks like 319351 at Red Hat, not sure  
about the MIT RT number) regarding delegated creds and SPNEGO.

It was fixed by changing gssint_get_mechanism_cred() in the mechglue  
to not unwrap SPNEGO credentials. However, this changes the behaviour  
of everything that calls gssint_get_mechanism_cred(). It means that  
using gss_acquire_cred() for SPNEGO credentials returns  

Sun fixed the same issue explicitly in the delegated credentials path  
(it is also a workaround, but it did have the advantage of not being a  
special case for SPNEGO).

So, I'm wondering: was this fixed correctly? Is the expectation that,  
when using pseudo-mechanisms, you will acquire credentials for the  
pseudo-mechanism or for the concrete mechanism? If it's the former,  
well, it doesn't work right now. I ask because it impacts some other  

-- Luke
-- |

More information about the krbdev mailing list