ghudson at mit.edu
Tue Feb 19 17:53:23 EST 2019
On 2/16/19 2:28 AM, Weijun Wang wrote:
> Suppose there is only one process, is the intermediate server also forbidden to get a ticket to a backend server on its own?
If a caller uses an impersonator credential with gss_init_sec_context(),
the GSSAPI layer will always try to make an S4U2Proxy request, not a
regular TGS request.
The same caller may have previously acquired a cred handle which it used
to produce the impersonator cred (either with gss_accept_sec_context()
or gss_acquire_cred_impersonate_name()). That cred could be used to get
a ticket to another server with a regular TGS request.
> Is this true for any GSS_C_BOTH credential?
No, the GSS_C_BOTH usage is orthogonal. Impersonator credentials are
typically GSS_C_INITIATE, and a GSS_C_BOTH credential which is not an
impersonator cred can be used to make regular TGS requests.
More information about the krbdev