Hi All

Please review the code changes at

  http://cr.openjdk.java.net/~weijun/8022582/webrev.00

Sometimes a forwardable ticket request is sent but KDC returns a 
non-forwardable one. For example, in Windows, an account can be set as 
"sensitive and cannot be delegated". While it's possible to remove the 
"forwardable=true" line in krb5.conf to avoid the check failure, the file is 
global and maybe another account wants to be delegated. Therefore we just to 
relax the forwardable check.

KrbTgsReq is also modified so that one can get a service ticket when TGT is not 
forwardable.

One special case is S4U2self request, both the existing ticket and the expected 
ticket must be forwardable, and we fail early if one is not.

A new test simulates the "sensitive account" concept in Windows.

Thanks
Max

Reply via email to