Delegated creds and SPNEGO
Luke Howard
lukeh at padl.com
Mon Aug 31 14:08:35 EDT 2009
>>
> Our special case does not actually check for the SPNEGO OID. It's a
> very simple special case (if (have_deleg_cred && actual_mech !=
> initial_context_token_mech) then expect the mech to have returned a
> mechglue cred, not a mech cred). It could use a tiny tweak for the
> case
> of composite mechs (instead of actual_mech !=
> initial_context_token_mech
> it needs to check that initial_context_token_mech is equal to or a
> prefix of actual_mech).
OK, I've implemented this (more or less). Seems to work.
MIT: this means, I've backed out the deleg credentials fix that went
in 1.7 (this is in the S4U branch). However, I have verified
delegation still works
-- Luke
More information about the krbdev
mailing list