MS KRB5 vs KRB 5 GSS API/SPNEGO question
Prakash Narayanaswamy
prakash at nutanix.com
Mon Feb 3 21:53:31 EST 2014
Thanks a lot, Greg. We'll take the patch, apply it, test it and get back to
you. Thanks again.
Prakash
Prakash N | 408 771 4273
On Mon, Feb 3, 2014 at 6:31 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 02/03/2014 02:26 PM, Prakash Narayanaswamy wrote:
> > Hello, We are trying to get a service (a SMB server) running on Linux
> > kerberized using the GSS API. During the negotiation (SPNEGO), the
> Windows
> > SMB client specifies MS KRB5 (1.2.840.48018.1.2.2) as the preferred
> > mechanism and supplies the initial token. The gss_accept_sec_context
> method
> > on the server accepts the token and generates a *NegTokenResp*, setting
> the
> > *negState* to *"accept-completed"* and *supportedMech* to *KRB5
> > (1.2.840.113554.1.2.2)* among other things.
> [...]
> > The question now is this: Is there a better way of doing this? Are we
> > missing something here?
>
> Nope, it's just a bug. I apparently introduced it in 1.10 when fixing
> another issue. Thanks for investing it in enough detail to make it easy
> to find the mistake.
>
> Here is a candidate fix, which should make its way into master and 1.12.2:
>
> https://github.com/greghudson/krb5/commits/spnegofix
>
> Here is the bug-tracker entry I filed:
>
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=7858
>
More information about the Kerberos
mailing list