[12056] in Kerberos-V5-bugs
[krbdev.mit.edu #6936] multiple mechanisms and
daemon@ATHENA.MIT.EDU (Arlene Berry" via RT)
Fri Jul 22 17:01:38 2011
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: ""Arlene Berry" via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6936@krbdev.mit.edu>
Message-ID: <rt-6936-34191.17.3925643415101@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6936'":;"'AdminCc of krbdev.mit.edu Ticket #6936'":;@MIT.EDU
Date: Fri, 22 Jul 2011 17:01:36 -0400 (EDT)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
You may have credentials for a mechanism but the initial gss_init_sec_context may not succeed. One issue is that spnego_gss_init_sec_context chooses its preferred mechanism before it knows whether gss_init_sec_context will work and is not structured such that it can recover from a failure even though there might be another mechanism that would work. The other issue is that for the best chance of success you really don't want to include any mechanism that will fail the initial gss_init_sec_context in the mechanism list that is sent to the acceptor. This patch pre-screens the mechanism list for failures. It's not the best solution because it throws away the initial context tokens and repeats the gss_init_sec_context call for the preferred mechanism.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
