Patch: Make source4 gensec_gssapi handle the case where gss_accept_sec_context returns a token on error

Richard Sharpe realrichardsharpe at
Sun Mar 20 14:56:06 UTC 2016

On Sun, Mar 20, 2016 at 1:15 AM, Andrew Bartlett <abartlet at> wrote:
> On Sat, 2016-03-19 at 10:05 +0200, Alexander Bokovoy wrote:
>> Sending non-empty output token is required by GSSAPI processing
>> regardless of the state we are in, see closing paragraphs of 2.2.2
>> in RFC 2743:
>> ----------------------------
>> The output_token result, when non-NULL, provides a context-level
>> token
>> to be returned to the context initiator to continue a multi-step
>> context
>> establishment sequence. As noted with GSS_Init_sec_context(), any
>> returned token should be transferred to the context's peer (in this
>> case, the context initiator), independent of the value of the
>> accompanying returned major_status.
>> ----------------------------
> Thanks!  Sounds like we should pass it on, but not adjust the status
> variable.  I do wonder if the rest of gensec (and callers) expects
> that, but it of course should also be adjusted.


Look at frame 7 in the attached to convince yourself that it is a
Windows server responding (I don't think we support NEGOEX even now),
and frame 11 to see how Windows responds when an error token is

I don't gratuitously make these changes.

Richard Sharpe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5_windows_file_server_correct_error-1.pcapng
Type: application/octet-stream
Size: 13764 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list