Should gss_get_name_attribute() dump the values of auth-indicators?

Machin, Glenn Douglas machin2 at llnl.gov
Thu Oct 13 18:27:31 EDT 2022


Never mind it works.  It was the line:
name_buf.length = strlen(name_buf.value) + 1;

Should be:
name_buf.length = strlen(name_buf.value);

Glenn


From: Kerberos <kerberos-bounces at mit.edu> on behalf of Machin, Glenn Douglas via Kerberos <kerberos at mit.edu>
Date: Thursday, October 13, 2022 at 9:34 AM
To: Machin, Glenn Douglas via Kerberos <kerberos at mit.edu>
Subject: Should gss_get_name_attribute() dump the values of auth-indicators?


Should gss_get_name_attribute() dump the values of auth-indicators?   I verified that the auth-indicators is set correctly by also setting require_auth on the SPN.   When not using OTP I cannot obtain the service ticket but when using an otp I can.



I have run this on both 1.15 and 1.18 with the same results. Below is a code snippet of what I used, including the gssapi test routine dump_attribute().  It shows in gss_inquire_name() the auth-indicator as a value, but gss_get_name_attribute() indicates that operation is not available or is unsupported.



Should I be getting the values of auth-indicator?



Thanks,



Glenn







      serv_maj_stat = gss_accept_sec_context(&acc_sec_min_stat, &context,

                                              GSS_C_NO_CREDENTIAL, &send_tok,

                                              GSS_C_NO_CHANNEL_BINDINGS,

                                              &client, &doid, &recv_tok,

                                              &ret_flags,

                                              NULL,  /* time_rec */

                                              NULL); /* del_cred_handle */




  maj_stat =  gss_inquire_name( &min_stat, client, &is_mech_name, &mech, &attrs);
         if (maj_stat != GSS_S_COMPLETE) {
                        display_status("gss_inquire_name", maj_stat, min_stat);
                } else {
                  int i = 0;
                  struct gss_buffer_desc_struct thisattr;
                  if (attrs && attrs->count > 0){
                      for (i = 0; i < attrs->count; i++){
                        thisattr = attrs->elements[i];
                        printf("Attr[%d] of %d:%s\n",i,attrs->count,thisattr.value);
                      }
                  }
                }





  name_buf.value = "auth-indicators";

         name_buf.length = strlen(name_buf.value) + 1;

         maj_stat = gss_import_name(&min_stat, &name_buf,

                               (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &input_name);

         authenticated = 0;

         complete = 0;

         noisy = 0;

         more = -1;

         dump_attribute(client, &name_buf, noisy);



What I get from gss_inquire_nameis:



Attr[0] of 1:auth-indicators





What I get from dump_attribute which calls gss_get_name_attribute is:



Looking for attribute auth-indicators

gss_get_name_attribute: The operation or option is not available or unsupported

gss_get_name_attribute: No such file or directory









(gdb) print (char *) attrs->elements[0]->value

$6 = 0x629ab0 "auth-indicators"



(gdb) print attrs->count

$8 = 1

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://urldefense.us/v3/__https://mailman.mit.edu/mailman/listinfo/kerberos__;!!G2kpM7uM-TzIFchu!ghFrJnWiesMwp4rG1zFRL5nQMhdQiy66A4VJp-dHuhAsEUoVGkMlQJyB-M3UcTBx$<https://urldefense.us/v3/__https:/mailman.mit.edu/mailman/listinfo/kerberos__;!!G2kpM7uM-TzIFchu!ghFrJnWiesMwp4rG1zFRL5nQMhdQiy66A4VJp-dHuhAsEUoVGkMlQJyB-M3UcTBx$>


More information about the Kerberos mailing list