Delegated creds and SPNEGO

pk kranenburg at
Thu Sep 24 10:03:53 EDT 2009

> So, I'm wondering: was this fixed correctly? Is the expectation that,  
> when using pseudo-mechanisms, you will acquire credentials for the  
> pseudo-mechanism or for the concrete mechanism? If it's the former,  
> well, it doesn't work right now. I ask because it impacts some other  
> work.

Given `src_name' is mechanism specific and `mech_type' also contains
the actually chosen mechanism, returning a mechanism specific delegated
credential would be by far the most sensible thing to do. 

See also my post to the krbdev list from May 22, 2007 for an alternative
fix, which is cleaner, IMHO, because it avoids hard-coding the
SPNEGO OID and allows the composite/stacked mechamism implementation
to decide what to return.


More information about the krbdev mailing list