gss_accept_sec_context & rcache
Rainer Weikusat
rainer.weikusat at sncag.com
Tue May 30 05:18:47 EDT 2006
Jeffrey Hutzelman <jhutz at cmu.edu> writes:
> On Monday, May 29, 2006 01:05:47 PM +0200 Rainer Weikusat
> <rainer.weikusat at sncag.com> wrote:
>
>> Is there a particular reason why gss_accept_sec_context
>> returns GSS_S_FAILURE/ KRB5_RC_REPLAY for duplicate
>> initiator tokens instead of GSS_S_DUPLICATE_TOKEN?
>
> Because GSS_S_DUPLICATE_TOKEN means that a duplicate per-message token
> was received when message replay detection is enabled. It does not
> apply to context negotiation.
This is a quote from RFC1509, section 3.4:
GSS_S_DUPLICATE_TOKEN The input_token is valid, but is a
duplicate of a token already processed. This
is a fatal error during context establishment.
The same text is contained in RFC2744 (and in both language
independent API specifications as well).
More information about the krbdev
mailing list