About proxy_impersonator

Greg Hudson ghudson at mit.edu
Tue Feb 19 17:53:23 EST 2019

On 2/16/19 2:28 AM, Weijun Wang wrote:
> Suppose there is only one process, is the intermediate server also forbidden to get a ticket to a backend server on its own?

If a caller uses an impersonator credential with gss_init_sec_context(),
the GSSAPI layer will always try to make an S4U2Proxy request, not a
regular TGS request.

The same caller may have previously acquired a cred handle which it used
to produce the impersonator cred (either with gss_accept_sec_context()
or gss_acquire_cred_impersonate_name()).  That cred could be used to get
a ticket to another server with a regular TGS request.

> Is this true for any GSS_C_BOTH credential?

No, the GSS_C_BOTH usage is orthogonal.  Impersonator credentials are
typically GSS_C_INITIATE, and a GSS_C_BOTH credential which is not an
impersonator cred can be used to make regular TGS requests.

More information about the krbdev mailing list