gss_krb5_import_cred fails for Samba
Nico Williams
nico at cryptonector.com
Sat Jul 23 00:12:59 EDT 2011
On Fri, Jul 22, 2011 at 10:29 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On Fri, 2011-07-22 at 20:14 -0400, Andrew Bartlett wrote:
>> This case is where the principal is specified, and the incoming GSSAPI
>> request has the same key and knvo, but a different server name?
>
> Contrary to what Luke says, I would expect this to work out of the box
> in krb5 1.9. If you look at the logic of
> krb5_rd_req_decrypt_tkt_part() in rd_req_dec.c, you'll see that if
> server != NULL, we look up server in the keytab and ignore
> req->ticket->server.
I think using req->ticket->server is precisely what Andrew wants,
which means using GSS_C_NO_CREDENTIAL *or* a credential acquired for
desired_name == GSS_C_NO_NAME. (GSS doesn't [yet] have a strong
concept of credential sets, as it requires that desired_name be the
same for all elements of a credential -- that is, it has a concept of
credential set, but what must differ from one element to the next is
the mechanism, not the name.)
Nico
--
More information about the krbdev
mailing list