[20092] in Kerberos_V5_Development
Re: NegoEx broke GSSAPI in BIND 9
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed May 20 12:15:44 2020
To: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>, <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <dedea091-cd40-8766-723b-90392091f1cd@mit.edu>
Date: Wed, 20 May 2020 12:14:26 -0400
MIME-Version: 1.0
In-Reply-To: <253812D5-B414-4F0D-85D8-EFB57CB1D289@isc.org>
Content-Type: multipart/mixed; boundary="===============1429117795075935364=="
Errors-To: krbdev-bounces@mit.edu
--===============1429117795075935364==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="YiJpZYsZV8yrc1xf1NGte4n9Is2KZjmWs"
--YiJpZYsZV8yrc1xf1NGte4n9Is2KZjmWs
Content-Type: multipart/mixed; boundary="pyjxYgDfR3gjYHLqvSt5nNCCYJhXsB3cd"
--pyjxYgDfR3gjYHLqvSt5nNCCYJhXsB3cd
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 5/20/20 5:34 AM, Ond=C5=99ej Sur=C3=BD wrote:
> Unfortunately, this stopped working since 1.18.1, but perhaps we were d=
oing something
> wrong from the beginning. Honestly, looking at the GSSAPI is like readi=
ng tea leaves :-),
> so I would appreciate if I can get some pointers where to start with th=
e debugging.
I don't immediately see what's going wrong. What Simo pointed out seems
unlikely to be related to the regression.
Given the error message, my best guess is that this is related to commit
c088f56a62702a2cc99c26185681efee1555b7fa ("Restrict SPNEGO acceptor
mechs by cred acquisition"). It should be possible to individually
revert that commit to confirm. I still wouldn't really know why it
caused a regression, though.
The error message corresponds to ERR_SPNEGO_NO_MECHS_AVAILABLE, which
can be returned from get_available_mechs() or get_negotiable_mechs() in
src/lib/gssapi/spnego/spnego_mech.c. If I had a reproduction recipe for
this, I would start by setting a breakpoint in get_negotiable_mechs() on
the acceptor side, and figure out the execution path differences between
1.17 and 1.18.
--pyjxYgDfR3gjYHLqvSt5nNCCYJhXsB3cd--
--YiJpZYsZV8yrc1xf1NGte4n9Is2KZjmWs
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQS7YOmQRa0ieO6SH+BOswnsPlpb8QUCXsVXYgAKCRBOswnsPlpb
8ehGAQCSJe7DKAq4q3GW5bKvhuc54L7BBmrAD1dgKz0MP9H0RwD/b4Ooy639b2GK
hG25BjfgbMTUXU2OMazVMXq+ScRCPwE=
=354t
-----END PGP SIGNATURE-----
--YiJpZYsZV8yrc1xf1NGte4n9Is2KZjmWs--
--===============1429117795075935364==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============1429117795075935364==--
