Hi,
It seems there is a bug in MIT kerberos gss source code where the
delegation state is set in context flags on acceptor side.
I am using a keytab on server side to acquire credentials with in memory
credential cache : *cred->usage == GSS_C_BOTH*
Client has *delegation flag set to false* but has a *forwardable TGT*.
On context establishment on server side :
*A)* If we use it it like :
*gss_accept_sec_context(&min_stat,
context,
server_creds,
&recv_tok,
GSS_C_NO_CHANNEL_BINDINGS,
&client,
&doid,
&send_tok,
ret_flags,
NULL, /* ignore time_rec */
NULL); *
This will work fine and *ret_flags* will have delegation bit false.
*B)* But if we use it like :
*delegated_gss_cred = NULL;
gss_accept_sec_context(&min_stat,
context,
server_creds,
&recv_tok,
GSS_C_NO_CHANNEL_BINDINGS,
&client,
&doid,
&send_tok,
ret_flags,
NULL, /* ignore time_rec */
&delegated_gss_cred); *
Then, it will set delegation bit in *ret_flags* to true.
.....................................................................................
If we look down the code in *accept_sec_context.c*, it has :
* if (delegated_cred_handle != NULL &&
deleg_cred == NULL && /* no unconstrained delegation */
cred->usage == GSS_C_BOTH &&
(ticket->enc_part2->flags & TKT_FLG_FORWARDABLE)) {
/*
* Now, we always fabricate a delegated credentials handle
* containing the service ticket to ourselves, which can be
* used for S4U2Proxy.
*/
major_status = create_constrained_deleg_creds(minor_status, cred,
ticket, &deleg_cred,
context);
if (GSS_ERROR(major_status))
goto fail;
ctx->gss_flags |= GSS_C_DELEG_FLAG;
}
*
*[ case A ] : *( delegated_cred_handle = address of(NULL) ) == NULL
*[ case B ] : *( delegated_cred_handle = address of(NULL pointer) ) != NULL
So, for case B, the above if() condition will be true and it will set the
context delegation flag to true on acceptor side though delegation flag is
false on initiator side.
--
Regards,
Vipul
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
