SPNEGO and Kerberos credentials

S Rahul srahul at novell.com
Thu Jul 3 03:18:29 EDT 2008


I have a problem using both Kerberos and SPNEGO under GSSAPI in the same
service. I created a credential for the Kerberos principal using
gss_acquire_cred(). If I pass this to gss_accept_sec_context() and
select Kerberos mechanism, there is no problem. But if I select SPNEGO
as the mechanism, the credential does not pass down to
krb5_gss_accept_sec_context(). It gets filtered in the GSSAPI layer
itself and a new credential is generated when
spnego_gss_accept_sec_context() calls gss_accept_sec_context(). One
problem I have because of this is that the replay cache is opened
multiple times and concurrent writes are corrupting the cache. So, I
hacked the GSSAPI code and found that the attached patch appears to
resolve the problem. I understand that mechanism specific stuff
shouldn't go into GSSAPI code. But still ...


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: gss.diff
Url: http://mailman.mit.edu/pipermail/krbdev/attachments/20080703/39cfe49c/attachment.bat

More information about the krbdev mailing list