Should gss_get_name_attribute() dump the values of auth-indicators?
Machin, Glenn Douglas
machin2 at llnl.gov
Thu Oct 13 18:27:31 EDT 2022
Never mind it works. It was the line:
name_buf.length = strlen(name_buf.value) + 1;
Should be:
name_buf.length = strlen(name_buf.value);
Glenn
From: Kerberos <kerberos-bounces at mit.edu> on behalf of Machin, Glenn Douglas via Kerberos <kerberos at mit.edu>
Date: Thursday, October 13, 2022 at 9:34 AM
To: Machin, Glenn Douglas via Kerberos <kerberos at mit.edu>
Subject: Should gss_get_name_attribute() dump the values of auth-indicators?
Should gss_get_name_attribute() dump the values of auth-indicators? I verified that the auth-indicators is set correctly by also setting require_auth on the SPN. When not using OTP I cannot obtain the service ticket but when using an otp I can.
I have run this on both 1.15 and 1.18 with the same results. Below is a code snippet of what I used, including the gssapi test routine dump_attribute(). It shows in gss_inquire_name() the auth-indicator as a value, but gss_get_name_attribute() indicates that operation is not available or is unsupported.
Should I be getting the values of auth-indicator?
Thanks,
Glenn
serv_maj_stat = gss_accept_sec_context(&acc_sec_min_stat, &context,
GSS_C_NO_CREDENTIAL, &send_tok,
GSS_C_NO_CHANNEL_BINDINGS,
&client, &doid, &recv_tok,
&ret_flags,
NULL, /* time_rec */
NULL); /* del_cred_handle */
maj_stat = gss_inquire_name( &min_stat, client, &is_mech_name, &mech, &attrs);
if (maj_stat != GSS_S_COMPLETE) {
display_status("gss_inquire_name", maj_stat, min_stat);
} else {
int i = 0;
struct gss_buffer_desc_struct thisattr;
if (attrs && attrs->count > 0){
for (i = 0; i < attrs->count; i++){
thisattr = attrs->elements[i];
printf("Attr[%d] of %d:%s\n",i,attrs->count,thisattr.value);
}
}
}
name_buf.value = "auth-indicators";
name_buf.length = strlen(name_buf.value) + 1;
maj_stat = gss_import_name(&min_stat, &name_buf,
(gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &input_name);
authenticated = 0;
complete = 0;
noisy = 0;
more = -1;
dump_attribute(client, &name_buf, noisy);
What I get from gss_inquire_nameis:
Attr[0] of 1:auth-indicators
What I get from dump_attribute which calls gss_get_name_attribute is:
Looking for attribute auth-indicators
gss_get_name_attribute: The operation or option is not available or unsupported
gss_get_name_attribute: No such file or directory
(gdb) print (char *) attrs->elements[0]->value
$6 = 0x629ab0 "auth-indicators"
(gdb) print attrs->count
$8 = 1
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://urldefense.us/v3/__https://mailman.mit.edu/mailman/listinfo/kerberos__;!!G2kpM7uM-TzIFchu!ghFrJnWiesMwp4rG1zFRL5nQMhdQiy66A4VJp-dHuhAsEUoVGkMlQJyB-M3UcTBx$<https://urldefense.us/v3/__https:/mailman.mit.edu/mailman/listinfo/kerberos__;!!G2kpM7uM-TzIFchu!ghFrJnWiesMwp4rG1zFRL5nQMhdQiy66A4VJp-dHuhAsEUoVGkMlQJyB-M3UcTBx$>
More information about the Kerberos
mailing list