<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>3 dec 2010 kl. 14:52 skrev Andrew Bartlett:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>On Fri, 2010-12-03 at 22:47 +0000, Love Hörnquist Åstrand wrote:<br><blockquote type="cite">Hello tridge,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">An alternative is to use the GSS_C_DELEG_POLICY_FLAG which only<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">delegates if the admin of the domain have said its ok to delegate<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">to that host.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Would you recommend that we add it?<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">With my current patches the flags we're passing are:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I would recommend what Microsoft sends + GSS_S_DELEG_POLICY_FLAG.<br></blockquote><br>Thanks.  <br><br>Tridge,<br><br>I'm pretty sure we removed the ability to forward for a good reason<br>however, so re-enabling this may expose other gremlins.  I guess we now<br>need to look into and understand that better.<br></div></blockquote></div><br><div><br></div><div>Not that I didn't propose GSS_C_DELEG_FLAG, the new flag GSS_C_DELEG_POLICY_FLAG will only delegate if the admin for domain have approved delegation (ie set ok-as-delegate ticket flag).</div><div><br></div><div>Love</div><div><br></div><div><br></div></body></html>