Constrained Delegation

Do the Quest/VAS GSSAPI libraries(llibvas-gssapi.so) support Constrained Delegation?

I have this working with the MIT Kerberos GSSAPI libraries, but when I switch the libvas-gssapi.so it stops. 

When doing the gss_accept_sec_context(), it appears the the token passed is not seen as a "proxy credential" since I'm not getting back  GSS_C_DELEG_FLAG as I do with MIT.

https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html#constrained-delegation-s4u

https://web.mit.edu/kerberos/krb5-latest/doc/formats/ccache_file_format.html#credential-cache-configuration-entries

proxy_impersonator  - The presence of this key indicates that the cache is a synthetic delegated credential for use with S4U2Proxy. The value is the name of the intermediate service whose TGT can be used to make S4U2Proxy requests for target services. This key is not associated with any principal.

I tried the latest QAS_4_1_7_23754 libraries.

Thanks!

-Chuck

Parents
  • Constrained delegation is not something we have ever looked into with our current libraries. 

    Later in February Authentication Services 4.2 is being released and has an updated version of Heimdall Kerberos at the center. It might be worth testing on that version when it comes out.

Reply
  • Constrained delegation is not something we have ever looked into with our current libraries. 

    Later in February Authentication Services 4.2 is being released and has an updated version of Heimdall Kerberos at the center. It might be worth testing on that version when it comes out.

Children
No Data