issues with SPNEGO security contexts

Arlene Berry aberry0364 at
Tue Dec 15 20:08:04 EST 2009

When SPNEGO is used, the resulting security context is a union context which
contains a union context which contains the actual mechanism.  The
mech_type for the outer union context is SPNEGO and the mech_type for
the inner union context is the actual mechanism.  I've found two problems with this so far.  The lesser one is that gss_inquire_context always reports SPNEGO for the mech type instead of the actual mechanism because in the mechglue layer
gss_inquire_context is hardcoded to return the mech_type in the outer
union context.  The worse one is gss_display_status which fails to find any error strings for the actual mechanism because the mechglue layer calls SPNEGO which only returns strings for SPNEGO errors and doesn't call the actual mechanism.  It's not hard to fix gss_inquire_context but I'm not sure how to fix gss_display_status and I'm beginning to think that having a union context inside a union context is not good.

Arlene Berry
Hotmail: Trusted email with powerful SPAM protection.

More information about the krbdev mailing list