Patch: Make source4 gensec_gssapi handle the case where gss_accept_sec_context returns a token on error

Alexander Bokovoy ab at
Sat Mar 19 08:05:12 UTC 2016

On Sat, 19 Mar 2016, Andrew Bartlett wrote:
> On Fri, 2016-03-18 at 19:28 -0700, Richard Sharpe wrote:
> > Hi folks,
> > 
> > This has been sitting around for a while.
> > 
> > Can I get feedback on it so I can clean it up and get it in?
> I'm not sure changing the error code is the right approach.  If we are
> in an error state, will accepting another blob make it OK?  If not,
> then more processing required isn't the correct error, but we may still
> wish to return the error packet to the client, along with the failure.
Sending non-empty output token is required by GSSAPI processing
regardless of the state we are in, see closing paragraphs of 2.2.2 
in RFC 2743:
The output_token result, when non-NULL, provides a context-level token
to be returned to the context initiator to continue a multi-step context
establishment sequence. As noted with GSS_Init_sec_context(), any
returned token should be transferred to the context's peer (in this
case, the context initiator), independent of the value of the
accompanying returned major_status.

/ Alexander Bokovoy

More information about the samba-technical mailing list