Alternative proxy-creds API for constrained-delegation

Simo Sorce simo at
Fri Jun 5 09:35:47 EDT 2020

On Fri, 2020-06-05 at 12:11 +0200, Isaac Boukris wrote:
> Actually, even with the cred_store option for delegation_policy, when
> using more than one type, one can't really tell what creds he got at
> the end.
> We have GET_CRED_IMPERSONATOR_OID which I think can be used to inquire
> for proxy-creds, but how do you tell a tgt-less one?  It would be nice
> to be able to inquire about it.

gss_inquire_cred) will return a name for the cred, it could do so an
add a name attribute that marks the credential as "not a TGT" in some


Simo Sorce
RHEL Crypto Team
Red Hat, Inc

More information about the krbdev mailing list