[krbdev.mit.edu #6973] error reporting made worse in gss_acquire_creds
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sun May 13 13:08:40 EDT 2012
Looking into this:
1. gss_acquire_cred tries all of the mechs in sequence and, if none of
them worked, returns the last major/minor status it saw. The last mech
is SPNEGO, which tries all of the other mechs and comes up with a minor
status of ERR_SPNEGO_NO_MECHS_AVAILABLE, which conveys no useful
information.
2. spnego_gss_acquire_cred has a bug where it stomps its own minor
status with a call to gss_release_oid_set(), so we don't even see the
useless error message; instead we get a minor code which maps to 0 and
gss_display_status returns the empty string.
I will fix #2 but not link it to this report, since it solves the
uninteresting part of the problem. #1 is harder; it's fundamentally
difficult to return a useful error message for "I tried a bunch of
things which I don't have a lot of specific knowledge about, and they
all failed." Returning the first major/minor code we see would probably
be more helpful for krb5 use cases, but not for Moonshot or similar use
cases.
More information about the krb5-bugs
mailing list