[20338] in Kerberos_V5_Development
Re: Use gss_krb5_import_cred() for initiator spnego creds
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Sun Dec 12 21:16:51 2021
MIME-Version: 1.0
In-Reply-To: <68c2348d-d588-d649-f6c3-9e786359058a@mit.edu>
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 13 Dec 2021 04:15:53 +0200
Message-ID: <CAC-fF8Q4M9cqqy=RcDLNus98xG6fE8oR_c=dvpr9TsiDYfBvRQ@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Dec 13, 2021 at 4:00 AM Greg Hudson <ghudson@mit.edu> wrote:
>
> On 12/12/21 7:44 PM, Isaac Boukris wrote:
> > When passing a unique memory cache to gss_krb5_import_cred() (aka not
> > default), I fail to use these creds in gss_init_sec_context() with
> > spnego mech but succeed with krb5. I wonder if that's a bug or if
> > there is a way around it.
> >
> > I managed to reproduce in the test-suite, with this diff:
>
> gss_krb5_import_cred() creates a krb5 cred. You can't use that with
> SPNEGO per the standard API, nor is there a way to turn an existing cred
> handle into a SPNEGO cred. Recent Heimdal does allow this as an
> implicit extension (SPNEGO is flagged as a meta-mechanism which directly
> uses union creds), but MIT krb5 does not.
>
> A confounding factor is that the mechglue gss_init_sec_context() does
> not error out on mismatched credentials. It just calls
> gssint_get_mechanism_cred() on the union cred, and if that returns NULL
> (it has no other way of failing) the mechglue just passes the default
> cred handle to the mech. gss_accept_sec_context() used to behave the
> same way, but I changed that in 2011 to make it fail out instead.
>
> The current best way around this is to use gss_acquire_cred_from().
Ok thanks for clarifying it, my problem was because I create the
ccache with krb5_cc_new_unique(MEMORY) and so do not have its name, I
just noticed I can get the name with krb5_cc_get_full_name() and use
gss_acquire_cred_from() with that name, and it now works with spnego
too :)
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
