NegoEx broke GSSAPI in BIND 9
ghudson at mit.edu
Wed May 20 12:14:26 EDT 2020
On 5/20/20 5:34 AM, Ondřej Surý wrote:
> Unfortunately, this stopped working since 1.18.1, but perhaps we were doing something
> wrong from the beginning. Honestly, looking at the GSSAPI is like reading tea leaves :-),
> so I would appreciate if I can get some pointers where to start with the debugging.
I don't immediately see what's going wrong. What Simo pointed out seems
unlikely to be related to the regression.
Given the error message, my best guess is that this is related to commit
c088f56a62702a2cc99c26185681efee1555b7fa ("Restrict SPNEGO acceptor
mechs by cred acquisition"). It should be possible to individually
revert that commit to confirm. I still wouldn't really know why it
caused a regression, though.
The error message corresponds to ERR_SPNEGO_NO_MECHS_AVAILABLE, which
can be returned from get_available_mechs() or get_negotiable_mechs() in
src/lib/gssapi/spnego/spnego_mech.c. If I had a reproduction recipe for
this, I would start by setting a breakpoint in get_negotiable_mechs() on
the acceptor side, and figure out the execution path differences between
1.17 and 1.18.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 228 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20200520/be4f7b55/attachment.bin
More information about the krbdev