About proxy_impersonator

Greg Hudson ghudson at mit.edu
Mon Feb 25 11:36:06 EST 2019

On 2/25/19 2:59 AM, Weijun Wang wrote:
> So gss_init_sec_context() is called using the default credential, it should 
> 1) notice there is a proxy_impersonator
> 2) find a TGT matching the service name at #2
> 3) find the proxy credential matching the service name at #1
> 4) request ticket to any other service using #2 with #1 as the second ticket

I don't think code should make assumptions about credential order in a
ccache.  So I would amend the first three steps to:

1) notice there is a proxy_impersonator; get its value
2) find a TGT for (proxy_impersonator value) -> krbtgt/REALM at REALM
(where REALM is the realm of the proxy_impersonator value)
3) find the evidence ticket for (default principal of ccache) ->
(proxy_impersonator value)

More information about the krbdev mailing list