[37370] in Kerberos
Re: Constrained Delegation incurs high rate of TGS exchange
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Mon Jan 4 12:31:30 2016
MIME-Version: 1.0
In-Reply-To: <568A90DF.9090504@mit.edu>
Date: Mon, 4 Jan 2016 19:31:18 +0200
Message-ID: <CAC-fF8SkkS_5_bArdD8xzVpJEPM_uHPdz-3y1L1=n7L_9Wrd3A@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Jan 4, 2016 5:33 PM, "Greg Hudson" <ghudson@mit.edu> wrote:
>
> On 12/27/2015 10:57 PM, Isaac Boukris wrote:
> >> I'm trying to use gss_acquire_cred_impersonate_name() followed by
> >> gss_store_cred_into() to store impersonated creds into a ccache which
> >> I later use for calling gss_init_sec_context() on behalf of the user.
>
> > I think I found the bug in 'init_sec_context', when we have
> > impersonator credentials we don't check first if we have cached
> > credentials.
> > Please have a look at PR #381 - it fixes it for me (no high rate of
> > TGS exchange and no duplicate entries in ccache).
>
> Thanks for the clear problem description and the pull request. It may
> take a while to get to this because of a big post-holiday work pileup,
> but it's on the radar.
Thanks for the feedback.
Note that I've tried to make the changes very local as the code flow is
pretty complicated.
I'll be glad however to make necessary adjustments or test an alternative
patch if needed.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
