Isaac Boukris

@metze-samba, with this fixup check-context pass locally for me: ```diff $ git diff diff --git a/tests/gss/Makefile.am b/tests/gss/Makefile.am index 213283270..86dc24132 100644 --- a/tests/gss/Makefile.am +++ b/tests/gss/Makefile.am @@ -85,4 +85,5 @@ EXTRA_DIST =...

Ouch, that's the error I had before the fixup .. weird.

I was able to reproduce by doing the same, "mkdir ci-build; cd ci-build; ../configure ...", see demo fixup at: https://github.com/iboukris/heimdal/commit/3d04b05df25e443c09a5128eb4494eea328431b0

Hi @nicowilliams, perhaps it would make sense to use cred_store option here too, for the transited path option? I can look into it to see if it works out.

> kgetcred should obtain a fresh service ticket if the cache does not yet have one for the specified client The problem is the the client isn't really specified, it's...

> Perhaps the easiest fix is to skip check_cc() (and therefore always fetch a fresh ticket) if we’re using an evidence ticket. This isn't ideal, beyond the overhead of fetching...

In a closer look it appears that the original intent was as @RobCrowston suggested, to simply avoid the cache check when doing S4U2Proxy, and this is just a logical bug...

Thanks for looking at this, note that it has become a bit work-in-progress as I'd like to update it with some insights learned while implementing related work in MIT (like...

I tested it manually against Windows and it looks okay, I'll try to add automated tests. ``` echo PASSWD | kinit -f HTTP/[email protected] /usr/heimdal/bin/kgetcred --out-cache=evidence --impersonate=HTTP/[email protected] -H HTTP/[email protected] - kdc...

I managed to add a test for the protocol-transition case, but I'm having troubles with the constrained-delegation test. Since now we can't get an evidence ticket with self as client...