Not getting delegation credential from gss_accept_sec_context()

[Xie, Hugh]

That was what I did. Both context_handle for *gss_accept_sec_context()* and then * gss_init_sec_context* were initialized to GSS_C_NO_CONTEXT and the address of &context_handle are passed to these functions. I am getting error " No context has been established" and " Attempt to use incomplete security context" for minor when I call gss_init_sec_context with delegated_cred_handle from gss_accept_sec_context. I do not get this error if I do not pass delegated_cred_handle.

-----Original Message-----
From: Greg Hudson [mailto:ghudson at mit.edu] 
Sent: Wednesday, October 08, 2014 5:10 PM
To: Xie, Hugh; Kerberos at mit.edu
Subject: Re: Not getting delegation credential from gss_accept_sec_context()

On 10/08/2014 03:41 PM, Xie, Hugh wrote:
> After switching version 1.12.2, as a follow up question to the next step of S4U2Proxy.
> 
> I passed the delegated_cred_handle from *gss_accept_sec_context()* to *gss_init_sec_context*. I got a "No context has been established" error since the context_handle is reinitialized to GSS_C_NO_CONTEXT. This is not a problem when I am not using delegated_cred_handle. When I attempt to pass the same context handle from gss_accept_sec_context(), I got a segmentation error.
> 
> Can you tell me what context_handle to use?

Just as when you initially call gss_accept_sec_context, you need to pass the address of a gss_ctx_id_t variable which was initialized to GSS_C_NO_CONTEXT.  If you pass NULL, you will get the error you mentioned.

Reusing the acceptor context is incorrect usage; there ought to be a safety check so that it results in an error instead of a seg fault, but there might not be.  I will file a ticket if I can reproduce the issue.

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.