Delegated creds and SPNEGO

Luke Howard lukeh at
Mon Aug 31 14:08:35 EDT 2009

> Our special case does not actually check for the SPNEGO OID.  It's a
> very simple special case (if (have_deleg_cred && actual_mech !=
> initial_context_token_mech) then expect the mech to have returned a
> mechglue cred, not a mech cred).  It could use a tiny tweak for the  
> case
> of composite mechs (instead of actual_mech !=  
> initial_context_token_mech
> it needs to check that initial_context_token_mech is equal to or a
> prefix of actual_mech).

OK, I've implemented this (more or less). Seems to work.

MIT: this means, I've backed out the deleg credentials fix that went  
in 1.7 (this is in the S4U branch). However, I have verified  
delegation still works

-- Luke

More information about the krbdev mailing list