Expired Krb5 TGT prevents GSSAPI from calling SPNEGO plugins

Adam Bernstein abernstein at vmware.com
Tue Mar 1 18:23:09 EST 2016

Hi Greg,

The change you checked in fixes expired Kerberos credentials preventing 
plugin mechs from being executed.

During my testing, I believed I encountered a case where leaving the 
Krb5 mech OID in the mechs_array broke plugin mechanisms, which is why I 
coded my patch to leave out the Krb5 mech OID.

However, I've re-tried testing without either of our fixes, and manually 
set "status = 0" in the debugger after the failed call to "status = 
mech->gss_inquire_cred()". Manually forcing a successful return after 
krb5_gss_inquire_cred() returns allows the SRP plugin mech to work. 
Removing the Krb5 mech OID from the mechs_array is not required to 
resolve this problem.

As your fix is checked in and works for the issue I reported, we will 
use your change, as it is an officially supported GSSAPI change.

Thanks for looking into this issue,

On 3/1/16 1:49 PM, Greg Hudson wrote:
> Hi, Adam.  I submitted https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_krb5_krb5_pull_418&d=BQIC-g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=o4kJa_KVmM09QFQ8yc4DVnti6YAUAUKF973znNCXFXg&m=J9aMMzaSHp2czb39RSaSBeGUzt-wm7fxJVFYHiKiu1g&s=gocWbEgyTA4rdQPdsWMVqy6035bsFPzSMQDtOK_w3Ok&e=  yesterday
> to address this issue in a simpler way.  Can you see if that change
> works for you?
> Thanks again for reporting this.

More information about the krbdev mailing list