Patch: Make source4 gensec_gssapi handle the case where gss_accept_sec_context returns a token on error
Richard Sharpe
realrichardsharpe at gmail.com
Sun Mar 20 14:56:06 UTC 2016
On Sun, Mar 20, 2016 at 1:15 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sat, 2016-03-19 at 10:05 +0200, Alexander Bokovoy wrote:
>
>> Sending non-empty output token is required by GSSAPI processing
>> regardless of the state we are in, see closing paragraphs of 2.2.2
>> in RFC 2743:
>> ----------------------------
>> The output_token result, when non-NULL, provides a context-level
>> token
>> to be returned to the context initiator to continue a multi-step
>> context
>> establishment sequence. As noted with GSS_Init_sec_context(), any
>> returned token should be transferred to the context's peer (in this
>> case, the context initiator), independent of the value of the
>> accompanying returned major_status.
>> ----------------------------
>
> Thanks! Sounds like we should pass it on, but not adjust the status
> variable. I do wonder if the rest of gensec (and callers) expects
> that, but it of course should also be adjusted.
Sigh,
Look at frame 7 in the attached to convince yourself that it is a
Windows server responding (I don't think we support NEGOEX even now),
and frame 11 to see how Windows responds when an error token is
returned.
I don't gratuitously make these changes.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5_windows_file_server_correct_error-1.pcapng
Type: application/octet-stream
Size: 13764 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160320/019c51d1/krb5_windows_file_server_correct_error-1.obj>
More information about the samba-technical
mailing list