[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gss_init_sec_context igores cred if GSS_SPNEGO_MECHANISM

> On Wed, 31 May 2006 18:07:06 -0400
> Michael B Allen <mba2000@ioplex.com> wrote:
> > Does it make sense to do gss_acquire_cred with GSS_KRB5_MECHANISM and
> > then gss_init_sec_context with that cred and GSS_SPNEGO_MECHANISM? If
> > you do that with mechglue-branch the cred is basically ignored because
> > mechglue/g_glue.c:__gss_get_mechanism_cred tries and fails for find a
> > mechanism specific internal credential. Can anyone recommend a "fix".
> Never mind. It looks like if I just use GSS_C_NULL_OID_SET that everything
> Just Works (tm).

At third glance this *is* a problem if the cred is obtained through

Specifcally, using a delegated credential and GSS_SPNEGO_MECHANISM with
gss_init_sec_context doesn't work. The credential is ignored.

Gss_acquire_cred is doing something that allows GSS_SPNEGO_MECHANISM
to be specified with init_sec_context without ignoring the cred. But
accept_sec_context doesn't.

This is mechglue-branch BTW.


Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization