[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [patch] miscellaneous mechglue stuff

Hi Mike,

>2. The server then calls
>   gss_init_sec_context(GSS_SPNEGO_NO_OPTIMISTIC_FLAG_X) to generate the
>   list of available mechs and sends the NegTokenInit (w/o a mech token)
>   to the client in the NEGOTIATE Response.

I can understand the confusion, but it's not how the code is designed
to work. For the purpose of this discussion, the server is ALWAYS the

The server must call gss_accept_sec_context() with the token received
by the client, which may or may not be an empty token. In the case of
an empty token it will respond with a NegTokenInit.

Don't forget a server may need to support both behaviours. This is the
case with LDAP in Active Directory (as it is with XAD). For example,
SAMBA uses acceptor-first in GSS-SPNEGO LDAP binds, whereas Microsoft
LDAP clients use initiator-first. Of course, the server could choose
whether to call gss_init_sec_context() or gss_accept_sec_context()
depending on whether the client sent an empty token or not (which is
what your proposal would require), but to me this is completely non-
intuitive. The logic to deal with this should be inside GSS-API, not
the application.

>3. The client calls gss_accept_sec_context with the above token
>   and provided it doesn't return GSS_S_BAD_MECH the application then
>   throws away the half-baked gss_ctx_id_t (note: the output token from
>   gss_accept_sec_context should be empty here).

The client is not the acceptor, that doesn't make any sense at all. Nor
does it make sense to throw away GSS contexts: it is one authentication
session after all.

>Your point about this MS behavior being non-standard anyway is well
>received. But I just think having gss_accept_sec_context generate
>a NegTokenInit is very awkward. Gss_init_sec_context only takes
>an empty token or a NegTokenTarg as input and it only outputs a
>NegTokenInit. Gss_accept_sec_context only takes a NegTokenInit as input
>and it only outputs a NegTokenTarg (or an empty token in the special
>case where there's no optimistic mech token in the input token).

Your assertions regarding NegToken{Targ,Init} are true for standard
SPNEGO but not MS acceptor-sends-first SPNEGO.


-- Luke