[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does this happen in the new mechglue too?

To: Michael B Allen <mba2000@ioplex.com>
Subject: Re: Does this happen in the new mechglue too?
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Fri, 9 Feb 2007 12:26:57 +1100
Cc: heimdal-discuss@sics.se
In-Reply-To: <20070207235447.1c36c022.mba2000@ioplex.com>
References: <20070207235447.1c36c022.mba2000@ioplex.com>
Sender: owner-heimdal-discuss@sics.se

> The issue was that trying to acquire a credential
> could result in a redundant AS-REQ. It turned out to be
> lib/mechglue/g_acquire_cred.c:gss_acquire_cred was looping over all
> mechanisms. The problem was that with SPNEGO it did KRB5 twice, once
> for KRB5 mech and once through SPNEGO mech calling KRB5.
>
> I added a clause that checked for &mech->mech_type ==  
> GSS_SPNEGO_MECHANISM
> to skip that mech (unless it was explicitly specified).
>
> Please consider this condition wrt the new mechglue code if necessary.

After a fast read though of the code it looks like this could still  
happen
in the new mech-glue code.

This is the second issue with gssapi mech-glue layer hides too much
from SPNEGO. I need figure out the implications of this
(split or merged mech-glue/SPNEGO).

Love

References:
- Does this happen in the new mechglue too?
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: Problems with Heimdal Module for PAM
Next by Date: Re: Detect when KRB5CCNAME changes for certain server scenarios
Prev by thread: Does this happen in the new mechglue too?
Next by thread: Keytab "MEMORY" in error message
Index(es):
- Date
- Thread