Writing gss mechanism - Kerberos user2user

Idan Freiberg speidy at gmail.com
Sun Feb 5 01:21:19 EST 2017

Hello all,

I'm working on an implementation for Kerberos user2user mechanism, in order
to be able to interop with MS requests as such.

Talking with Simo, kaduk @ irc, I was advised to add it as a seperate .so
While it is possible, i'm not sure its the right way. One reason for that
is because MS doesn't specify user2user mech as a seperate mech in
MechTypes (NegoTokenInit).
They actually ask for official krb5 or mskrb5 oids, then they include the
user2user token as the MechToken of the request.

That made me think u2u should be hooked in gssapi_krb5.

On the other hand, looking at gss-ntlmssp by Simo, I find that a support
was added into gssapi itself in order to detect that mech when
NegoTokenInit comes in (altough thats a different way of detection), so i
might be wrong about my the above.

Can you share your thoughts about that one?
Idan Freiberg

PGP FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18

More information about the krbdev mailing list