Hi again, On Sat, Dec 26, 2015 at 3:47 AM, Isaac Boukris <ibouk...@gmail.com> wrote: > Hello, > > I'm trying to use gss_acquire_cred_impersonate_name() followed by > gss_store_cred_into() to store impersonated creds into a ccache which > I later use for calling gss_init_sec_context() on behalf of the user. > > This works fine (against w2k3) but it seems that each call to > gss_init_sec_context() incurs a new TGS exchange (on wire) and > subsequently 'klist' shows additional entries although the target > server is the same. > This doesn't happen when I use regular 'kinit' to initialize the > ccache (rather the first TGS seems to be reused). > > I was wondering if this is expected in constrained-delegation scenario > or whether I might be doing something wrong (tested with 1.12.2 and > 1.14-pre).
I think I found the bug in 'init_sec_context', when we have impersonator credentials we don't check first if we have cached credentials. Please have a look at PR #381 - it fixes it for me (no high rate of TGS exchange and no duplicate entries in ccache). Thanks a lot! ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
