[37369] in Kerberos
Re: Constrained Delegation incurs high rate of TGS exchange
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jan 4 10:34:10 2016
To: Isaac Boukris <iboukris@gmail.com>, kerberos <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <568A90DF.9090504@mit.edu>
Date: Mon, 4 Jan 2016 10:33:51 -0500
MIME-Version: 1.0
In-Reply-To: <CAC-fF8QYJMHnNNJEa1Uc=zL377cMHKqwgV2jrrrLUW+nzwX9RA@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/27/2015 10:57 PM, Isaac Boukris wrote:
>> I'm trying to use gss_acquire_cred_impersonate_name() followed by
>> gss_store_cred_into() to store impersonated creds into a ccache which
>> I later use for calling gss_init_sec_context() on behalf of the user.
> I think I found the bug in 'init_sec_context', when we have
> impersonator credentials we don't check first if we have cached
> credentials.
> Please have a look at PR #381 - it fixes it for me (no high rate of
> TGS exchange and no duplicate entries in ccache).
Thanks for the clear problem description and the pull request. It may
take a while to get to this because of a big post-holiday work pileup,
but it's on the radar.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
