NegoEx broke GSSAPI in BIND 9

Ondřej Surý ondrej at
Wed May 20 17:52:59 EDT 2020

Hi Greg,

Actually, my colleague already run git bisect on the repository, and identified the culprit
to be NegoEx (c2ca2f26eaf817a6a7ed42257c380437ab802bd9) and I have just confirmed
that with an independent test, the c088f56a62702a2cc99c26185681efee1555b7fa is still
part of the repository, but I reverted the tree to c2ca2f26eaf817a6a7ed42257c380437ab802bd9~
(commit before NegoEx) and our tests work again.

Going forward to c2ca2f26eaf817a6a7ed42257c380437ab802bd9 makes our tests to be
broken again.  So, actually there is something in the NegoEx implementation that makes
gss_accept_sec_context() in BIND 9 to return with:

20-May-2020 21:49:46.670 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = SPNEGO cannot find mechanisms to negotiate.

I will try to isolate a minimal test case (if I can) tomorrow.

Ondřej Surý
ondrej at

> On 20 May 2020, at 18:14, Greg Hudson <ghudson at> wrote:
> Given the error message, my best guess is that this is related to commit
> c088f56a62702a2cc99c26185681efee1555b7fa ("Restrict SPNEGO acceptor
> mechs by cred acquisition").  It should be possible to individually
> revert that commit to confirm.  I still wouldn't really know why it
> caused a regression, though.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Message signed with OpenPGP
Url :

More information about the krbdev mailing list