Delegation using MIT client

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Delegation using MIT client

ambekar@gmail.com
I am trying to do delegation using gssapi/MIT client. I am using
Microsoft Kerberos and I have configured my UNIX boxes for the kerberos
realm. I am able to make my application and service work in this
environment. I have a requirement to make client credetials delegated
to server for impersonation.
I have created forwardable and proxiable ticket (I tried ticket for
service as well as tgt). I am trying to call gss_init_sec_context with
GSS_C_DELEG_FLAG flag. gss_init_contect returns with
GSS_S_CONTINUE_NEEDED, but ret_flags does not contain GSS_C_DELEG_FLAG!
Also, with this context, gss_accept_sec_context returns NULL value for
the delegated_cred_handle. Any clues on this?

Thanks in advance.
Ashwin Ambekar

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Delegation using MIT client

ambekar@gmail.com
Is there any known issue with krb5-devel-1.2.7-19 (RedHat AS 3) for
delegation? I am not getting ret_flag set to GSS_C_DELEG_FLAG in
gss_init_sec_context. I downloaded latest binaries from MIT
distribution page. After recompilation every thing seems to be working
properly!

-Aswin

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Delegation using MIT client

hartmans
In reply to this post by ambekar@gmail.com
krb5 1.2.7 had some issues with delegation depending on what
encryption types are being used.  In general we would recommend either
talking to your OS vendor about the problem or upgrading.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos