[16675] in Kerberos_V5_Development
Re: Cannot get name from default acceptor cred
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Mar 9 15:22:55 2011
From: Greg Hudson <ghudson@mit.edu>
To: Sriram Nambakam <snambakam@likewise.com>
In-Reply-To: <23447137FA0DAA4D95EF535FF356BE4606105EE1@mse3be2.mse3.exchange.ms>
Date: Wed, 09 Mar 2011 15:20:21 -0500
Message-ID: <1299702021.2397.392.camel@t410>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, 2011-03-09 at 14:10 -0500, Sriram Nambakam wrote:
> When this cred (with keytab) is used as part of
> gss_accept_security_context(...), the principal will be taken from the
> incoming token?
Because of the way server aliases work, we actually ignore the principal
name from the client and just try every entry in the keytab until we
find one that works. (Unless we are running against the KDB keytab; in
that case we use the client-provided principal name.)
> I am trying to run the SAP gsstest against the MIT krb5 gss library, and
> it fails in two cases when trying to acquire default credentials.
Fundamentally, this is a place where GSSAPI and krb5 doesn't quite mesh.
We can probably make up a name to return in this case, such as the first
principal in the keytab. Some care needs to be taken to handle
GSS_C_BOTH credentials correctly. I'm not sure when or if I'll find
time to code this up.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
