MS KRB5 vs KRB 5 GSS API/SPNEGO question
Prakash Narayanaswamy
prakash at nutanix.com
Tue Feb 4 14:15:53 EST 2014
Greg, the patch that you gave us fixed the issue. Thanks for the prompt
debugging and a quick patch.
Prakash
On Mon, Feb 3, 2014 at 6:53 PM, Prakash Narayanaswamy
<prakash at nutanix.com>wrote:
> Thanks a lot, Greg. We'll take the patch, apply it, test it and get back
> to you. Thanks again.
>
> Prakash
>
> Prakash N | 408 771 4273
>
>
>
> On Mon, Feb 3, 2014 at 6:31 PM, Greg Hudson <ghudson at mit.edu> wrote:
>
>> On 02/03/2014 02:26 PM, Prakash Narayanaswamy wrote:
>> > Hello, We are trying to get a service (a SMB server) running on Linux
>> > kerberized using the GSS API. During the negotiation (SPNEGO), the
>> Windows
>> > SMB client specifies MS KRB5 (1.2.840.48018.1.2.2) as the preferred
>> > mechanism and supplies the initial token. The gss_accept_sec_context
>> method
>> > on the server accepts the token and generates a *NegTokenResp*, setting
>> the
>> > *negState* to *"accept-completed"* and *supportedMech* to *KRB5
>> > (1.2.840.113554.1.2.2)* among other things.
>> [...]
>> > The question now is this: Is there a better way of doing this? Are we
>> > missing something here?
>>
>> Nope, it's just a bug. I apparently introduced it in 1.10 when fixing
>> another issue. Thanks for investing it in enough detail to make it easy
>> to find the mistake.
>>
>> Here is a candidate fix, which should make its way into master and 1.12.2:
>>
>> https://github.com/greghudson/krb5/commits/spnegofix
>>
>> Here is the bug-tracker entry I filed:
>>
>> http://krbdev.mit.edu/rt/Ticket/Display.html?id=7858
>>
>
>
More information about the Kerberos
mailing list