[krbdev.mit.edu #8203] Name handling does not conform to RFC2744

[Simo Sorce via RT]

In RFC2744 3.10 it says:
     "A single gss_name_t object may contain
      multiple names from different namespaces, but all names should
      refer to the same entity.  An example of such an internal name
      would be the name returned from a call to the gss_inquire_cred
      routine, when applied to a credential containing credential
      elements for multiple authentication mechanisms employing
      different namespaces."

I found myself in exactly this situation (using gss_inquire_cred) and currently
libgssapi fails to handle the request appropriately.

In my code I am using gss_acquire_cred() with usage GSS_C_ACCEPT in order to
get a "server" name to be used. In my configuration I have 2 mechanism that have
valid server credentials, however only the first mechanism name is returned when
I call gss_inquire_cred().

Later on I use this "server" name as input for gss_init_sec_context() which is
used in a loop with gss_accept_sec_context() in order to validate user credentials
obtained via gss_acquire_cred_with_password()

If the credentials being tested are valid only for the second mechanism (using SPNEGO
to negotiate a valid mechanism for example) then the second mechanism fail to work, as
the name used is valid only for the first mechanism.

A gss_union_name_t will need to be introduced to fix this problem.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York