Delegated creds and SPNEGO
Luke Howard
lukeh at padl.com
Wed Aug 26 13:49:00 EDT 2009
On 26/08/2009, at 7:45 PM, Love Hörnquist Åstrand wrote:
>
> 26 aug 2009 kl. 10:09 skrev Luke Howard:
>
>> So, I'm wondering: was this fixed correctly? Is the expectation that,
>> when using pseudo-mechanisms
>
> pseudo mechs are mostly broken. basically every time you add a new
> pseudo or combined mech you are running into this problems what you
> described
Sun fixed it without explicitly checking for SPNEGO, instead making
the assumption that pseudo-mechs do not wrap credential handles. The
comment in the source is:
"If we got back an OID different from the original token OID, assume
the delegated_cred is already a proper union_cred and just return it.
Don't try to re-wrap it. This is for SPNEGO or other pseudo-mechanisms."
(cf. http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libgss/g_accept_sec_context.c)
-- Luke
PS. MIT/Sun: are there plans to resync Sun's SPNEGO and mechglue
changes?
More information about the krbdev
mailing list