[37361] in Kerberos
Constrained Delegation incurs high rate of TGS exchange
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Fri Dec 25 20:48:18 2015
MIME-Version: 1.0
Date: Sat, 26 Dec 2015 03:47:55 +0200
Message-ID: <CAC-fF8TT7VZKa18w_sSV9XBASH1ZauWgqvxrRtYC8tvKPGs3+A@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
To: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
I'm trying to use gss_acquire_cred_impersonate_name() followed by
gss_store_cred_into() to store impersonated creds into a ccache which
I later use for calling gss_init_sec_context() on behalf of the user.
This works fine (against w2k3) but it seems that each call to
gss_init_sec_context() incurs a new TGS exchange (on wire) and
subsequently 'klist' shows additional entries although the target
server is the same.
This doesn't happen when I use regular 'kinit' to initialize the
ccache (rather the first TGS seems to be reused).
I was wondering if this is expected in constrained-delegation scenario
or whether I might be doing something wrong (tested with 1.12.2 and
1.14-pre).
Thank you,
Isaac Boukris
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
