GSS/SPNEGO/mechglue/krb5 patches for 1.8

Sam Hartman hartmans at MIT.EDU
Thu Jan 21 09:45:47 EST 2010

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:

    Nicolas> On Wed, Jan 20, 2010 at 03:37:01PM -0500, Luke Howard wrote:
    >> I haven't looked at the ticket, but I'm not sure if this is a
    >> bug. My understanding from Nico is that you should acquire
    >> credentials for the target mechanism, that is, if you are using
    >> SPNEGO you should use SPNEGO credentials.

    Nicolas> Correct.

    Nicolas> Either use GSS_C_NO_CREDENTIAL, or, if you must control
    Nicolas> what credentials to use, then use gss_acquire_cred() and/or
    Nicolas> gss_add_cred() for each mechanism that you care about,
    Nicolas> _including_ SPNEGO if you wish to use SPNEGO.  In addition,
    Nicolas> if you want to control what mechanisms SPNEGO will
    Nicolas> negotiate, and with what preference, then use
    Nicolas> gss_set_neg_mechs() on the credential handle.

This is a nice theory and I agree it's how it's supposed to work.
However, do we actually support gss_set_neg_mechs?  If this ticket is
easier to accept than writing a new API at this point in the
process,then perhaps we should do so.  The bug that you need to be able
to control what SPNEGO offers seems quite real, and I think we should
provide some fix to that bug in the 1.8 timeframe if it's causing
problems for people willing to write code.


More information about the krbdev mailing list