[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
Nico Williams
nico at cryptonector.com
Fri Nov 22 22:45:28 UTC 2019
On Fri, Nov 22, 2019 at 11:24:44AM +0100, Stefan Metzmacher wrote:
> > Correspondingly and symmetrically, the right way to request some
> > behavior on the side where the credential is available, is to associate
> > that request with the desired_name for which the credential is acquired.
>
> So you mean we need to pass an explicit desired_name to
> gss_acquire_cred_from() and use gss_set_name_attribute() calls
> (for no_transit_check and iterate_acceptor_keytab) on that desired_name
> before?
Oh, wait, right. That's not going to work when you want a default
credential.
Alright. I've got a nasty cold and can't think straight, and deadlines
to meet to boot too. I'll respond more thoughtfully some time next
week.
Nico
--
More information about the samba-technical
mailing list