Patch: Make source4 gensec_gssapi handle the case where gss_accept_sec_context returns a token on error

Andrew Bartlett abartlet at
Sun Mar 20 08:15:20 UTC 2016

On Sat, 2016-03-19 at 10:05 +0200, Alexander Bokovoy wrote:

> Sending non-empty output token is required by GSSAPI processing
> regardless of the state we are in, see closing paragraphs of 2.2.2 
> in RFC 2743:
> ----------------------------
> The output_token result, when non-NULL, provides a context-level
> token
> to be returned to the context initiator to continue a multi-step
> context
> establishment sequence. As noted with GSS_Init_sec_context(), any
> returned token should be transferred to the context's peer (in this
> case, the context initiator), independent of the value of the
> accompanying returned major_status.
> ----------------------------

Thanks!  Sounds like we should pass it on, but not adjust the status
variable.  I do wonder if the rest of gensec (and callers) expects
that, but it of course should also be adjusted.

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list