[20230] in Kerberos_V5_Development
Re: MIT Kerberos using invalid in-memory credential cache
daemon@ATHENA.MIT.EDU (Vipul Mehta)
Mon Jan 11 11:39:07 2021
MIME-Version: 1.0
In-Reply-To: <CAMeQEL_0XWJCF2S+RHVn2k9HL5ZVwCK+p_JLdseunOgz0nUY1w@mail.gmail.com>
From: Vipul Mehta <vipulmehta.1989@gmail.com>
Date: Mon, 11 Jan 2021 13:09:01 +0530
Message-ID: <CAMeQEL_Zh95KHD_ymHHy7XGOt0aZ_55Hcmbi4X+reVpbYtD2Mg@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
One more qus - How to create SPNEGO output token from gss_init_sec_context
using krb5 gss credential ?
On Thu, Jan 7, 2021 at 1:41 PM Vipul Mehta <vipulmehta.1989@gmail.com>
wrote:
> I tried the fix but it didn't work. I observed there are some other issues
> w.r.t. mechanism type from curl and would like to understand behavior
> before further analysis.
>
> 1) How is default credential picked up when GSS_C_NO_CREDENTIAL is
> specified in gss_init_sec_context() ? How is in-memory credential cache
> used here ?
> 2) If the GSS credential passed to gss_init_sec_context() does not match
> the specified mechanism type then GSS_C_NO_CREDENTIAL is the value
> returned from gssint_get_mechanism_cred(). Why it does not simply fail
> here as client didn't pass matching oid and cred ?
>
>
>
> On Wed, Dec 30, 2020 at 10:43 PM Greg Hudson <ghudson@mit.edu> wrote:
>
>> On 12/29/20 7:21 AM, Vipul Mehta wrote:
>> > I see that some fix has been done in newer version :
>> >
>> https://github.com/krb5/krb5/commit/146dadec8fe7ccc4149eb2e3f577cc320aee6efb#diff-8f14845d698c6c1242bf1288e7bfec3db113dd57279601af016ec0df4a20949e
>> >
>> > Will it help ? How to debug this issue further in our service ?
>>
>> It might. One of the bugs fixed in that commit is that two simultaneous
>> references to the same memory cache would cause one of the references to
>> become a dangling pointer when the other is destroyed. I'm not sure how
>> upgrading curl would lead to that scenario, though.
>>
>> If you choose to backport this commit, note that it contained a bug,
>> described here:
>>
>> https://krbdev.mit.edu/rt/Ticket/Display.html?id=8771
>>
>
>
> --
> Regards,
> Vipul
>
--
Regards,
Vipul
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
