About proxy_impersonator
Greg Hudson
ghudson at mit.edu
Mon Feb 25 11:36:06 EST 2019
On 2/25/19 2:59 AM, Weijun Wang wrote:
> So gss_init_sec_context() is called using the default credential, it should
>
> 1) notice there is a proxy_impersonator
> 2) find a TGT matching the service name at #2
> 3) find the proxy credential matching the service name at #1
> 4) request ticket to any other service using #2 with #1 as the second ticket
I don't think code should make assumptions about credential order in a
ccache. So I would amend the first three steps to:
1) notice there is a proxy_impersonator; get its value
2) find a TGT for (proxy_impersonator value) -> krbtgt/REALM at REALM
(where REALM is the realm of the proxy_impersonator value)
3) find the evidence ticket for (default principal of ccache) ->
(proxy_impersonator value)
More information about the krbdev
mailing list