GSS/SPNEGO/mechglue/krb5 patches for 1.8
Sam Hartman
hartmans at MIT.EDU
Thu Jan 21 09:45:47 EST 2010
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
Nicolas> On Wed, Jan 20, 2010 at 03:37:01PM -0500, Luke Howard wrote:
>> I haven't looked at the ticket, but I'm not sure if this is a
>> bug. My understanding from Nico is that you should acquire
>> credentials for the target mechanism, that is, if you are using
>> SPNEGO you should use SPNEGO credentials.
Nicolas> Correct.
Nicolas> Either use GSS_C_NO_CREDENTIAL, or, if you must control
Nicolas> what credentials to use, then use gss_acquire_cred() and/or
Nicolas> gss_add_cred() for each mechanism that you care about,
Nicolas> _including_ SPNEGO if you wish to use SPNEGO. In addition,
Nicolas> if you want to control what mechanisms SPNEGO will
Nicolas> negotiate, and with what preference, then use
Nicolas> gss_set_neg_mechs() on the credential handle.
This is a nice theory and I agree it's how it's supposed to work.
However, do we actually support gss_set_neg_mechs? If this ticket is
easier to accept than writing a new API at this point in the
process,then perhaps we should do so. The bug that you need to be able
to control what SPNEGO offers seems quite real, and I think we should
provide some fix to that bug in the 1.8 timeframe if it's causing
problems for people willing to write code.
--Sam
More information about the krbdev
mailing list