[17050] in Kerberos_V5_Development
Re: gss_krb5_import_cred fails for Samba
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Jul 19 12:19:57 2011
From: Greg Hudson <ghudson@mit.edu>
To: Andrew Bartlett <abartlet@samba.org>
In-Reply-To: <1310999403.3287.15.camel@obed>
Content-Type: multipart/mixed; boundary="=-jaQbpasADvWdV5LJE7rg"
Date: Tue, 19 Jul 2011 12:19:48 -0400
Message-ID: <1311092388.23877.86.camel@t410>
Mime-Version: 1.0
Cc: "lukeh@PADL.COM" <lukeh@padl.com>, "krbdev@mit.edu" <krbdev@mit.edu>,
"samba-technical@samba.org" <samba-technical@samba.org>
Errors-To: krbdev-bounces@mit.edu
--=-jaQbpasADvWdV5LJE7rg
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
On Mon, 2011-07-18 at 10:30 -0400, Andrew Bartlett wrote:
> This is because alloc_union_cred() calls [...]
Judging by the code in g_acquire_cred.c, the call to
mech->gss_display_name should be conditional on mech_name !=
GSS_C_NO_NAME.
If you're in a position to test the attached patch and it let it know if
it resolves the case where the principal is unspecified, that would be
helpful.
> If the principal is specified (matching the keytab value of host$@REALM)
> then the login fails with 'Wrong principal in request'.
I'd be interested in knowing more about why this is; I wouldn't expect
it to happen as long as the specified principal exists in the keytab.
> Given this function seems to have been added for Samba, is there a test
> case that could be expanded to ensure that Samba's needs for this
> function can be met?
I will try to add some automated tests for these scenarios.
--=-jaQbpasADvWdV5LJE7rg
Content-Disposition: attachment; filename="patch.txt"
Content-Type: text/plain; name="patch.txt"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
diff --git a/src/lib/gssapi/mechglue/g_set_cred_option.c b/src/lib/gssapi/mechglue/g_set_cred_option.c
index 897c84f..b530b1e 100644
--- a/src/lib/gssapi/mechglue/g_set_cred_option.c
+++ b/src/lib/gssapi/mechglue/g_set_cred_option.c
@@ -85,12 +85,14 @@ alloc_union_cred(OM_uint32 *minor_status,
if (status != GSS_S_COMPLETE)
goto cleanup;
- status = mech->gss_display_name(minor_status,
- mech_name,
- &cred->auxinfo.name,
- &cred->auxinfo.name_type);
- if (status != GSS_S_COMPLETE)
- goto cleanup;
+ if (mech_name != GSS_C_NO_NAME) {
+ status = mech->gss_display_name(minor_status,
+ mech_name,
+ &cred->auxinfo.name,
+ &cred->auxinfo.name_type);
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
+ }
status = GSS_S_COMPLETE;
*pcred = cred;
--=-jaQbpasADvWdV5LJE7rg
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--=-jaQbpasADvWdV5LJE7rg--
