gss_krb5_import_cred fails for Samba
Greg Hudson
ghudson at MIT.EDU
Tue Jul 19 10:19:48 MDT 2011
On Mon, 2011-07-18 at 10:30 -0400, Andrew Bartlett wrote:
> This is because alloc_union_cred() calls [...]
Judging by the code in g_acquire_cred.c, the call to
mech->gss_display_name should be conditional on mech_name !=
GSS_C_NO_NAME.
If you're in a position to test the attached patch and it let it know if
it resolves the case where the principal is unspecified, that would be
helpful.
> If the principal is specified (matching the keytab value of host$@REALM)
> then the login fails with 'Wrong principal in request'.
I'd be interested in knowing more about why this is; I wouldn't expect
it to happen as long as the specified principal exists in the keytab.
> Given this function seems to have been added for Samba, is there a test
> case that could be expanded to ensure that Samba's needs for this
> function can be met?
I will try to add some automated tests for these scenarios.
-------------- next part --------------
diff --git a/src/lib/gssapi/mechglue/g_set_cred_option.c b/src/lib/gssapi/mechglue/g_set_cred_option.c
index 897c84f..b530b1e 100644
--- a/src/lib/gssapi/mechglue/g_set_cred_option.c
+++ b/src/lib/gssapi/mechglue/g_set_cred_option.c
@@ -85,12 +85,14 @@ alloc_union_cred(OM_uint32 *minor_status,
if (status != GSS_S_COMPLETE)
goto cleanup;
- status = mech->gss_display_name(minor_status,
- mech_name,
- &cred->auxinfo.name,
- &cred->auxinfo.name_type);
- if (status != GSS_S_COMPLETE)
- goto cleanup;
+ if (mech_name != GSS_C_NO_NAME) {
+ status = mech->gss_display_name(minor_status,
+ mech_name,
+ &cred->auxinfo.name,
+ &cred->auxinfo.name_type);
+ if (status != GSS_S_COMPLETE)
+ goto cleanup;
+ }
status = GSS_S_COMPLETE;
*pcred = cred;
More information about the samba-technical
mailing list