Delegated creds and SPNEGO

Luke Howard lukeh at
Wed Aug 26 13:49:00 EDT 2009

On 26/08/2009, at 7:45 PM, Love Hörnquist Åstrand wrote:

> 26 aug 2009 kl. 10:09 skrev Luke Howard:
>> So, I'm wondering: was this fixed correctly? Is the expectation that,
>> when using pseudo-mechanisms
> pseudo mechs are mostly broken. basically every time you add a new  
> pseudo or combined mech you are running into this problems what you  
> described

Sun fixed it without explicitly checking for SPNEGO, instead making  
the assumption that pseudo-mechs do not wrap credential handles. The  
comment in the source is:

"If we got back an OID different from the original token OID, assume  
the delegated_cred is already a proper union_cred and just return it.  
Don't try to re-wrap it. This is for SPNEGO or other pseudo-mechanisms."


-- Luke

PS. MIT/Sun: are there plans to resync Sun's SPNEGO and mechglue  

More information about the krbdev mailing list