Patch: Make source4 gensec_gssapi handle the case where gss_accept_sec_context returns a token on error

Andrew Bartlett abartlet at samba.org
Sun Mar 20 08:15:20 UTC 2016


On Sat, 2016-03-19 at 10:05 +0200, Alexander Bokovoy wrote:

> Sending non-empty output token is required by GSSAPI processing
> regardless of the state we are in, see closing paragraphs of 2.2.2 
> in RFC 2743:
> ----------------------------
> The output_token result, when non-NULL, provides a context-level
> token
> to be returned to the context initiator to continue a multi-step
> context
> establishment sequence. As noted with GSS_Init_sec_context(), any
> returned token should be transferred to the context's peer (in this
> case, the context initiator), independent of the value of the
> accompanying returned major_status.
> ----------------------------

Thanks!  Sounds like we should pass it on, but not adjust the status
variable.  I do wonder if the rest of gensec (and callers) expects
that, but it of course should also be adjusted.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the samba-technical mailing list