Status of ticket 5807?

Bryan Kadzban debbugs at
Mon May 12 18:42:37 EDT 2008

I am attempting to use MIT Kerberos with mod_auth_kerb under Apache.
The clients use SPNEGO, and I can't really change that.  I need
delegation to work properly, as the scripts that are running under
Apache need to be able to get at resources protected by Kerberos, and
they need to do that as the user that logs in from the browser.

The problem is, I am running into the same problem as reported in ticket
5807: gssint_get_mechanism_cred is failing because the passed-in
credential's mechanism OID doesn't match what it was given.  (The mech
ID in the credential is for SPNEGO, not Kerberos or old-Kerberos.)

This issue seems to be a showstopper for what I'm trying to do (as far
as I can see anyway), since it seems to break the ability to save out a
delegated credential from SPNEGO; are there any plans on getting the
patch in ticket 5807 into a future Kerberos release?  Is there anything
I can do to help the patch along?

(Before I found ticket 5807, I wrote a very similar patch, which gets
the SPNEGO OID from a call to spnego_gss_get_mech_configs() function
instead of hardcoding it like the patch on bug 5807 does.  If there were
any objections to hardcoding the OID, the patch that I put together
*might* be acceptable; it's available at the Debian bugreport[1] if
anyone wants to look.)



More information about the krbdev mailing list