Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1694132 - [RFE] GSS_C_DELEG_FLAG support [NEEDINFO]
Summary: [RFE] GSS_C_DELEG_FLAG support
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: krb5
Version: 6.1
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-29 15:15 UTC by toasty
Modified: 2019-04-15 15:03 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:
rharwood: needinfo? (afarley)

Attachments (Terms of Use)

Description toasty 2019-03-29 15:15:15 UTC
Description of problem:
We have a client-server system that uses Kerberos for authentication.  When Kerberos Constrained Delegation is enabled, gss_accept_sec_context() is not returning the GSS_C_DELEG_FLAG to indicate we have a delegated credential for the client-user.  The client-user's delegated/proxy credential is need to access any downstream Kerberos protected resources, such as Hadoop.  The client can be a web browser or one of our thick clients, which are running on Windows, accessing our server-tier running on RHEL.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 6.1 (Santiago)
krb5-libs.x86_64                      1.9-9.el6
I also tried MIT Kerberos 1.10.3 and it had the same problem

RHEL 7 is working correctly with these Kerberos libraries:
Red Hat Enterprise Linux Server release 7.2 (Maipo)
krb5-libs.x86_64                   1.14.1-27.el7_3
Red Hat Enterprise Linux Server release 7.4 (Maipo)
krb5-libs.x86_64                   1.15.1-8.el7 

How reproducible:
Reproducing requires some type of client server system configured for Kerberos and Constrained Delegation enabled in Active Directory.

Actual Results:
gss_accept_sec_context() is called to accept the inbound client-users token are part of the Kerberos handshake.  On acceptance the GSS_C_DELEG_FLAG is not being returned.

Expected Results:
gss_accept_sec_context() should be returning the GSS_C_DELEG_FLAG when Constrained Delegation is enabled.

Additional info:
I *think* this ticket resolved the problem in 1.11

Note You need to log in before you can comment on or make changes to this bug.