About proxy_impersonator

Greg Hudson ghudson at mit.edu
Thu Feb 14 20:56:45 EST 2019

On 2/14/19 8:24 PM, Weijun Wang wrote:
>    proxy_impersonator

> I wonder what we (Java, as another krb5 vendor) should do when this entry appears in a ccache file. Should this ccache always belong to an intermediate server that works as both an initiator and an acceptor? If the entry is there, does it mean the it should always use S4U2Proxy to request for a ticket to a backend server on behalf of a client and should never request for itself?

Basically yes.  (MIT krb5 handles this at the GSSAPI layer, not the
libkrb5 layer, so kvno would try to make regular requests with such a
ccache, probably without success.  But that's probably a limitation, not
a feature.)

> A ccache file is meant for sharing between processes. Who wrote this flag and who should use it?

This variable was introduced by commit
38de4804776a1a1a255b89b104b983fa1f10a664.  I was requested to make
gss_store_cred_into() and similar operations work with creds resulting
from gss_acquire_cred_impersonate_name() as well as synthetic delegated
creds obtained from gss_accept_sec_context().

More information about the krbdev mailing list