MS KRB5 vs KRB 5 GSS API/SPNEGO question

Prakash Narayanaswamy prakash at nutanix.com
Tue Feb 4 14:15:53 EST 2014


Greg, the patch that you gave us fixed the issue. Thanks for the prompt
debugging and a quick patch.


Prakash




On Mon, Feb 3, 2014 at 6:53 PM, Prakash Narayanaswamy
<prakash at nutanix.com>wrote:

> Thanks a lot, Greg. We'll take the patch, apply it, test it and get back
> to you. Thanks again.
>
> Prakash
>
> Prakash N | 408 771 4273
>
>
>
> On Mon, Feb 3, 2014 at 6:31 PM, Greg Hudson <ghudson at mit.edu> wrote:
>
>> On 02/03/2014 02:26 PM, Prakash Narayanaswamy wrote:
>> > Hello, We are trying to get a service (a SMB server) running on Linux
>> > kerberized using the GSS API. During the negotiation (SPNEGO), the
>> Windows
>> > SMB client specifies MS KRB5 (1.2.840.48018.1.2.2) as the preferred
>> > mechanism and supplies the initial token. The gss_accept_sec_context
>> method
>> > on the server accepts the token and generates a *NegTokenResp*, setting
>> the
>> > *negState* to *"accept-completed"* and *supportedMech* to *KRB5
>> > (1.2.840.113554.1.2.2)* among other things.
>> [...]
>> > The question now is this: Is there a better way of doing this? Are we
>> > missing something here?
>>
>> Nope, it's just a bug.  I apparently introduced it in 1.10 when fixing
>> another issue.  Thanks for investing it in enough detail to make it easy
>> to find the mistake.
>>
>> Here is a candidate fix, which should make its way into master and 1.12.2:
>>
>>   https://github.com/greghudson/krb5/commits/spnegofix
>>
>> Here is the bug-tracker entry I filed:
>>
>>   http://krbdev.mit.edu/rt/Ticket/Display.html?id=7858
>>
>
>


More information about the Kerberos mailing list