[36514] in Kerberos

home help back first fref pref prev next nref lref last post

Not getting delegation credential from gss_accept_sec_context()

daemon@ATHENA.MIT.EDU (Xie, Hugh)
Mon Oct 6 16:49:54 2014

Date: Mon, 06 Oct 2014 20:49:33 +0000
From: "Xie, Hugh" <hugh.xie@bankofamerica.com>
To: "Kerberos@mit.edu" <Kerberos@mit.edu>
Message-id: <7E270C3427928E499F189C5636C52CDC45B77E59@smtp_mail.bankofamerica.com>
MIME-version: 1.0
Content-language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi,

I am having trouble with S4U2Proxy. Looking into *accept_sec_context.c*, it has :
* if (delegated_cred_handle != NULL &&
        deleg_cred == NULL && /* no unconstrained delegation */
        cred->usage == GSS_C_BOTH &&
        (ticket->enc_part2->flags & TKT_FLG_FORWARDABLE)) {
        /*
         * Now, we always fabricate a delegated credentials handle
         * containing the service ticket to ourselves, which can be
         * used for S4U2Proxy.
         */
        major_status = create_constrained_deleg_creds(minor_status, cred,
                                                      ticket, &deleg_cred,
                                                      context);
        if (GSS_ERROR(major_status))
            goto fail;
        ctx->gss_flags |= GSS_C_DELEG_FLAG;
    }
*

I created some printf to check verifier_cred_handle I passed into *gss_accept_sec_context()* are set back to GSS_C_NO_CREDENTIAL once it reach kg_accept_krb5(). That in turn cause one of the condition * cred->usage == GSS_C_BOTH * to be false. I definite verified verifier_cred_handle before I called gss_accept_sec_context(). And it is coming from a call:
*
        maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, GSS_C_INDEFINITE,
                                    GSS_C_NO_OID_SET, GSS_C_BOTH, &state->server_creds, NULL, NULL);
*
So my assumption cred->usage flag should be GSS_C_BOTH.

Anyway, please let me know I can debug this issue.

Thanks.

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post