[13601] in Kerberos_V5_Development
SPNEGO and Kerberos credentials
daemon@ATHENA.MIT.EDU (S Rahul)
Thu Jul 3 03:13:38 2008
Message-ID: <486C7D45.20801@novell.com>
Date: Thu, 03 Jul 2008 12:48:29 +0530
From: S Rahul <srahul@novell.com>
MIME-Version: 1.0
To: krbdev@mit.edu
Content-Type: multipart/mixed; boundary="------------060604040203030903050408"
Errors-To: krbdev-bounces@mit.edu
This is a multi-part message in MIME format.
--------------060604040203030903050408
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Hi,
I have a problem using both Kerberos and SPNEGO under GSSAPI in the same
service. I created a credential for the Kerberos principal using
gss_acquire_cred(). If I pass this to gss_accept_sec_context() and
select Kerberos mechanism, there is no problem. But if I select SPNEGO
as the mechanism, the credential does not pass down to
krb5_gss_accept_sec_context(). It gets filtered in the GSSAPI layer
itself and a new credential is generated when
spnego_gss_accept_sec_context() calls gss_accept_sec_context(). One
problem I have because of this is that the replay cache is opened
multiple times and concurrent writes are corrupting the cache. So, I
hacked the GSSAPI code and found that the attached patch appears to
resolve the problem. I understand that mechanism specific stuff
shouldn't go into GSSAPI code. But still ...
Thanks,
-Rahul
--------------060604040203030903050408
Content-Type: text/plain;
name="gss.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="gss.diff"
--- src/lib/gssapi/mechglue/g_glue.c.old 2008-07-03 12:38:01.000000000 +0530
+++ src/lib/gssapi/mechglue/g_glue.c 2008-07-03 12:39:29.000000000 +0530
@@ -529,10 +529,15 @@
gss_OID mech_type;
{
int i;
+ gss_OID_desc spnego_mech = {6, (void *)"\x2b\x06\x01\x05\x05\x02"};
if (union_cred == GSS_C_NO_CREDENTIAL)
return GSS_C_NO_CREDENTIAL;
+ /* SPNEGO mechanism will again call into GSSAPI */
+ if (g_OID_equal(&spnego_mech, mech_type))
+ return (gss_cred_id_t)union_cred;
+
for (i=0; i < union_cred->count; i++) {
if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
return union_cred->cred_array[i];
--------------060604040203030903050408
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--------------060604040203030903050408--
