[20094] in Kerberos_V5_Development
Re: NegoEx broke GSSAPI in BIND 9
daemon@ATHENA.MIT.EDU (=?utf-8?B?T25kxZllaiBTdXLDvQ==?=)
Wed May 20 17:53:12 2020
From: =?utf-8?B?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>
Message-ID: <426708F5-2750-4411-9CAC-56C9E673EB6D@isc.org>
MIME-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Wed, 20 May 2020 23:52:59 +0200
In-Reply-To: <dedea091-cd40-8766-723b-90392091f1cd@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Cc: krbdev@mit.edu
Content-Type: multipart/mixed; boundary="===============2066158847576743302=="
Errors-To: krbdev-bounces@mit.edu
--===============2066158847576743302==
Content-Type: multipart/signed;
boundary="Apple-Mail=_0BCF241D-FF33-4C6F-9B17-FF9511AB0AB0";
protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_0BCF241D-FF33-4C6F-9B17-FF9511AB0AB0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Hi Greg,
Actually, my colleague already run git bisect on the repository, and =
identified the culprit
to be NegoEx (c2ca2f26eaf817a6a7ed42257c380437ab802bd9) and I have just =
confirmed
that with an independent test, the =
c088f56a62702a2cc99c26185681efee1555b7fa is still
part of the repository, but I reverted the tree to =
c2ca2f26eaf817a6a7ed42257c380437ab802bd9~
(commit before NegoEx) and our tests work again.
Going forward to c2ca2f26eaf817a6a7ed42257c380437ab802bd9 makes our =
tests to be
broken again. So, actually there is something in the NegoEx =
implementation that makes
gss_accept_sec_context() in BIND 9 to return with:
20-May-2020 21:49:46.670 failed gss_accept_sec_context: GSSAPI error: =
Major =3D Unspecified GSS failure. Minor code may provide more =
information, Minor =3D SPNEGO cannot find mechanisms to negotiate.
I will try to isolate a minimal test case (if I can) tomorrow.
Thanks,
Ondrej
--
Ond=C5=99ej Sur=C3=BD
ondrej@isc.org
> On 20 May 2020, at 18:14, Greg Hudson <ghudson@mit.edu> wrote:
>=20
> Given the error message, my best guess is that this is related to =
commit
> c088f56a62702a2cc99c26185681efee1555b7fa ("Restrict SPNEGO acceptor
> mechs by cred acquisition"). It should be possible to individually
> revert that commit to confirm. I still wouldn't really know why it
> caused a regression, though.
--Apple-Mail=_0BCF241D-FF33-4C6F-9B17-FF9511AB0AB0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="signature.asc"
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAl7FprtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcJOKBAAhaaEWrxwBBYvmk5awMPSyeC9oPksBM6TW7KQX8ndtUoteKRmVFs3xoUW
9ziVPns0gtoH43VuPFPj3xus8d9PaKjKwYKVEbnMLdmqV0t6gWZQ39kD8hvw27m4
qj6QMaLR994Af/dW130zlAV7HWW7l9f4Lf4NrS+YOrcghuMMRWH5FHHCIElAWQZY
pcTuoZvuOufNnErItFpmZuivednaftG+qLFmo0teZE9k8AshiyD4+9/o7g3/W8OO
kAqOpLARh4TZPw09aTsW/zvh8KdYJ42qyKyBA3nmJKrexEtSjDuf+wA1p4MGOLQe
fomG39s1iJNqk34LNZMXpayzYvRoElDDaK06Cjo13rfjdFcxOANamhFuFRH1NxJB
d3zqQI0thDk+mXo4f8DiefA6L64FWfZfDXjTIsLU4s16nQp1KjzVmV5/N1FNLXpg
D6PRJlnL/BPA9Kx7MGZYbvfkEUzWe94c3W1RGZza4zVorcVQlNCVtGrErbZef9R8
hDAU/vFVfCcG2euqiWxRZiJHMRtqnsCrmThpbN2XJGx97SO8JFhowFUEslIu2fk1
6vMIewp4cJqLaiLFEKFa5yxtZOO/w+Tu85GUID7PCy1mH6RRqiaVXzNa4uK+a0aE
KwC6FN2lD7O1umI9yszsnK3gnAdT8BAF92vLeFVzgNI9T3c1Fno=
=t6xc
-----END PGP SIGNATURE-----
--Apple-Mail=_0BCF241D-FF33-4C6F-9B17-FF9511AB0AB0--
--===============2066158847576743302==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============2066158847576743302==--
