[18] in GSSAPI Development
Re: More clarifications
daemon@ATHENA.MIT.EDU (John Wray, Secure Systems Developm)
Tue Apr 30 08:58:16 1991
Date: Tue, 30 Apr 91 05:57:55 PDT
From: "John Wray, Secure Systems Development, DTN 226-6106 30-Apr-1991 0849" <wray@ultra.enet.dec.com>
To: gssapi-dev@Pa.dec.com
>>If gss_acquire_cred is given a set of mechanisms, and it could acquire
>>mechanisms for all but one of the requested mechanisms, does it: 1) set
>>the return variable actual_mechs to contain the mechanisms for which it
>>could successfully obtain credentials, or 2) does it return
>>GSS_S_BAD_MECH?
>
>I think acquire_cred should do option 1. Acquiring credentials for a
>partial set of requested mechanisms is a feature. For example, users
>may not be registered under both Kerberos and SPX. GSS_S_BAD_MECH
>should probably be returned if an application requested a specific
>mechanism which is not supported by a GSS implementation. If this
>error is ever returned, I think the application is not written correctly.
Yes, gss_acquire_cred is allowed to return a non-empty subset of the mechanism
credentials requested. GSS_S_BAD_MECH is returned if the GSSAPI recognizes
none of the requested mechanisms, or if it determines that the set or a
mechanism identifier within the set is malformed; GSS_S_FAILURE is returned if
at least one mechanism is legal and for one reason or another no credential
could be obtained.
>>Second issue: what error code should the routine return if they were
>>expecting one type of token and receive another?
>>Should it just be GSS_S_FAILURE?
>>You seem to have a lot of explicit error codes of other cases, but other
>>cases seem to be lumped into GSS_S_FAILURE and I don't seem to see rhyme
>>or reason for some of them.
>
>I don't have a strong preference in this area. Hmm ... is the
>GSS_S_DEFECTIVE_TOKEN status more appropriate in this case?
GSS_S_DEFECTIVE_TOKEN seems appropriate here.
John
