Patch: Make source4 gensec_gssapi handle the case where gss_accept_sec_context returns a token on error

Andrew Bartlett abartlet at samba.org
Sun Mar 20 21:29:47 UTC 2016


On Sun, 2016-03-20 at 07:56 -0700, Richard Sharpe wrote:
> On Sun, Mar 20, 2016 at 1:15 AM, Andrew Bartlett <abartlet at samba.org>
> wrote:
> > 
> > On Sat, 2016-03-19 at 10:05 +0200, Alexander Bokovoy wrote:
> > 
> > > 
> > > Sending non-empty output token is required by GSSAPI processing
> > > regardless of the state we are in, see closing paragraphs of
> > > 2.2.2
> > > in RFC 2743:
> > > ----------------------------
> > > The output_token result, when non-NULL, provides a context-level
> > > token
> > > to be returned to the context initiator to continue a multi-step
> > > context
> > > establishment sequence. As noted with GSS_Init_sec_context(), any
> > > returned token should be transferred to the context's peer (in
> > > this
> > > case, the context initiator), independent of the value of the
> > > accompanying returned major_status.
> > > ----------------------------
> > Thanks!  Sounds like we should pass it on, but not adjust the
> > status
> > variable.  I do wonder if the rest of gensec (and callers) expects
> > that, but it of course should also be adjusted.
> Sigh,
> 
> Look at frame 7 in the attached to convince yourself that it is a
> Windows server responding (I don't think we support NEGOEX even now),
> and frame 11 to see how Windows responds when an error token is
> returned.
> 
> I don't gratuitously make these changes.

Thanks, I didn't previously have the context you gave above.  A
matching test would be a very good thing here, because this area is
some of the more delicate in Samba, and we want to keep getting it
right.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba









More information about the samba-technical mailing list