Services4User review

Luke Howard lukeh at
Sat Sep 5 02:46:36 EDT 2009

On 05/09/2009, at 5:10 AM, Greg Hudson wrote:

> On Fri, 2009-09-04 at 17:49 -0400, Nicolas Williams wrote:
>> Actually, S4U2Self and Proxy *both* are in the same boat: they can be
>> used without new gss_*cred*() extentions because in both cases they  
>> can
>> be used solely through the delegated credentials returned by
>> gss_accept_sec_context().
> That doesn't match my understanding.  As I understand it, the general
> use case of S4U2Self is that you've authenticated a user by some other
> means (like an X.509 certificate or a password over TLS) and you  
> want to
> get a ticket as that user to examine the PAC information or for use  
> with
> S4U2Proxy.  You never accepted a GSS security context.  So you need
> gss_acquire_cred_impersonate_name to do S4U2Self, but you can then  
> pass
> the resulting credentials to gss_init_sec_context to do S4U2Proxy,
> without needing a second extension.

Yes, that is my understanding too.

-- Luke

More information about the krbdev mailing list