Expired Krb5 TGT prevents GSSAPI from calling SPNEGO plugins
abernstein at vmware.com
Tue Mar 1 18:23:09 EST 2016
The change you checked in fixes expired Kerberos credentials preventing
plugin mechs from being executed.
During my testing, I believed I encountered a case where leaving the
Krb5 mech OID in the mechs_array broke plugin mechanisms, which is why I
coded my patch to leave out the Krb5 mech OID.
However, I've re-tried testing without either of our fixes, and manually
set "status = 0" in the debugger after the failed call to "status =
mech->gss_inquire_cred()". Manually forcing a successful return after
krb5_gss_inquire_cred() returns allows the SRP plugin mech to work.
Removing the Krb5 mech OID from the mechs_array is not required to
resolve this problem.
As your fix is checked in and works for the issue I reported, we will
use your change, as it is an officially supported GSSAPI change.
Thanks for looking into this issue,
On 3/1/16 1:49 PM, Greg Hudson wrote:
> Hi, Adam. I submitted https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_krb5_krb5_pull_418&d=BQIC-g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=o4kJa_KVmM09QFQ8yc4DVnti6YAUAUKF973znNCXFXg&m=J9aMMzaSHp2czb39RSaSBeGUzt-wm7fxJVFYHiKiu1g&s=gocWbEgyTA4rdQPdsWMVqy6035bsFPzSMQDtOK_w3Ok&e= yesterday
> to address this issue in a simpler way. Can you see if that change
> works for you?
> Thanks again for reporting this.
More information about the krbdev