MS KRB5 vs KRB 5 GSS API/SPNEGO question

Greg Hudson ghudson at MIT.EDU
Mon Feb 3 21:31:16 EST 2014


On 02/03/2014 02:26 PM, Prakash Narayanaswamy wrote:
> Hello, We are trying to get a service (a SMB server) running on Linux
> kerberized using the GSS API. During the negotiation (SPNEGO), the Windows
> SMB client specifies MS KRB5 (1.2.840.48018.1.2.2) as the preferred
> mechanism and supplies the initial token. The gss_accept_sec_context method
> on the server accepts the token and generates a *NegTokenResp*, setting the
> *negState* to *"accept-completed"* and *supportedMech* to *KRB5
> (1.2.840.113554.1.2.2)* among other things.
[...]
> The question now is this: Is there a better way of doing this? Are we
> missing something here?

Nope, it's just a bug.  I apparently introduced it in 1.10 when fixing
another issue.  Thanks for investing it in enough detail to make it easy
to find the mistake.

Here is a candidate fix, which should make its way into master and 1.12.2:

  https://github.com/greghudson/krb5/commits/spnegofix

Here is the bug-tracker entry I filed:

  http://krbdev.mit.edu/rt/Ticket/Display.html?id=7858


More information about the Kerberos mailing list