[20336] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Use gss_krb5_import_cred() for initiator spnego creds

daemon@ATHENA.MIT.EDU (Isaac Boukris)
Sun Dec 12 19:45:50 2021

MIME-Version: 1.0
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 13 Dec 2021 02:44:44 +0200
Message-ID: <CAC-fF8SA+tpNnh=nDcP=Og3AQRhJnY3nOwpXkPaB=9QxHgLaLw@mail.gmail.com>
To: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

Hi,

When passing a unique memory cache to gss_krb5_import_cred() (aka not
default), I fail to use these creds in gss_init_sec_context() with
spnego mech but succeed with krb5. I wonder if that's a bug or if
there is a way around it.

I managed to reproduce in the test-suite, with this diff:

diff --git a/src/tests/gssapi/t_imp_cred.c b/src/tests/gssapi/t_imp_cred.c
index a2aa5fbae..16b0d1a33 100644
--- a/src/tests/gssapi/t_imp_cred.c
+++ b/src/tests/gssapi/t_imp_cred.c
@@ -75,6 +75,8 @@ main(int argc, char *argv[])
         check_k5err(context, "krb5_parse_name", ret);
     }

+    setenv("KRB5CCNAME", "non-exist", 1);
+
     /* Get initiator cred. */
     major = gss_krb5_import_cred(&minor, cc, NULL, NULL, &initiator_cred);
     check_gsserr("gss_krb5_import_cred (initiator)", major, minor);
@@ -84,7 +86,7 @@ main(int argc, char *argv[])
     check_gsserr("gss_krb5_import_cred (acceptor)", major, minor);

     flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
-    establish_contexts(&mech_krb5, initiator_cred, acceptor_cred, target_name,
+    establish_contexts(&mech_spnego, initiator_cred, acceptor_cred,
target_name,
                        flags, &initiator_context, &acceptor_context, NULL,
                        NULL, NULL);

*** Failure: ./t_imp_cred failed with code 1.
*** Last command (#130): ./t_imp_cred p:service1/barack
*** Output of last command:
gss_init_sec_context: No credentials were supplied, or the credentials
were unavailable or inaccessible
gss_init_sec_context: SPNEGO cannot find mechanisms to negotiate

Thanks!
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
home help back first fref pref prev next nref lref last post