Use gss_krb5_import_cred() for initiator spnego creds

Isaac Boukris iboukris at
Sun Dec 12 19:44:44 EST 2021


When passing a unique memory cache to gss_krb5_import_cred() (aka not
default), I fail to use these creds in gss_init_sec_context() with
spnego mech but succeed with krb5. I wonder if that's a bug or if
there is a way around it.

I managed to reproduce in the test-suite, with this diff:

diff --git a/src/tests/gssapi/t_imp_cred.c b/src/tests/gssapi/t_imp_cred.c
index a2aa5fbae..16b0d1a33 100644
--- a/src/tests/gssapi/t_imp_cred.c
+++ b/src/tests/gssapi/t_imp_cred.c
@@ -75,6 +75,8 @@ main(int argc, char *argv[])
         check_k5err(context, "krb5_parse_name", ret);

+    setenv("KRB5CCNAME", "non-exist", 1);
     /* Get initiator cred. */
     major = gss_krb5_import_cred(&minor, cc, NULL, NULL, &initiator_cred);
     check_gsserr("gss_krb5_import_cred (initiator)", major, minor);
@@ -84,7 +86,7 @@ main(int argc, char *argv[])
     check_gsserr("gss_krb5_import_cred (acceptor)", major, minor);

-    establish_contexts(&mech_krb5, initiator_cred, acceptor_cred, target_name,
+    establish_contexts(&mech_spnego, initiator_cred, acceptor_cred,
                        flags, &initiator_context, &acceptor_context, NULL,
                        NULL, NULL);

*** Failure: ./t_imp_cred failed with code 1.
*** Last command (#130): ./t_imp_cred p:service1/barack
*** Output of last command:
gss_init_sec_context: No credentials were supplied, or the credentials
were unavailable or inaccessible
gss_init_sec_context: SPNEGO cannot find mechanisms to negotiate


More information about the krbdev mailing list