Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id m6OFZwo4021843; Thu, 24 Jul 2008 11:35:58 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m6OFZrwa003184; Thu, 24 Jul 2008 11:35:53 -0400 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m6O8Unfj014367 for ; Thu, 24 Jul 2008 04:30:49 -0400 Received: from mit.edu (W92-130-BARRACUDA-1.MIT.EDU [18.7.21.220]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id m6O8UeAB000553 for ; Thu, 24 Jul 2008 04:30:40 -0400 (EDT) Received: from fig.raritan.com (fig.raritan.com [12.144.63.197]) by mit.edu (Spam Firewall) with ESMTP id EA11CA3518C for ; Thu, 24 Jul 2008 04:30:03 -0400 (EDT) Received: from mordor.peppercon.de ([192.168.2.30]) by fig.raritan.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 04:30:01 -0400 Message-ID: <48883D87.8030008@plauener.de> Date: Thu, 24 Jul 2008 10:29:59 +0200 From: Christian Krause User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20080501 Fedora/2.0.0.14-1.fc8 Thunderbird/2.0.0.14 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: krb5-bugs@mit.edu Subject: krb5_gss_accept_sec_context always returns minor_status = 0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Originalarrivaltime: 24 Jul 2008 08:30:01.0297 (UTC) FILETIME=[76F0DC10:01C8ED67] X-Spam-Score: 0.00 X-Spam-Flag: NO X-Scanned-BY: MIMEDefang 2.42 X-Mailman-Approved-At: Thu, 24 Jul 2008 11:35:51 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU X-RT-Original-Encoding: iso-8859-1 Content-Length: 1793 Hi, I've started to use krb5's (krb-1.6.3) gss API and it happened quite often in the first time, that this function failed for various reasons (which is not a problem so far). The function returned GSS_S_FAILURE and according to the documentation a more specific error code should be in minor_status. But in my case minor_status was always 0. I've digged a little bit in the implementation in krb5/src/lib/gssapi/krb5/accept_sec_context.c and it looks like in line 928 the minor_status is correctly set to code, which is the return value of most krb5 functions: *minor_status = code; So far this would work perfectly. Unfortunately, at the end of this function it will be overwritten: if (!verifier_cred_handle && cred_handle) { krb5_gss_release_cred(minor_status, &cred_handle); } At least in my case, the condition was always true (because I've called accept_sec_contect with verifier_cred_handle=GSS_C_NO_CREDENTIAL) and so the real error was always hidden. Because this is not very convenient (and usually the return code of krb5_gss_release_cred is much less helpful than the real error code of a previous failed function), I'd suggest to change the code like this: --- src/lib/gssapi/krb5/accept_sec_context.c +++ src/lib/gssapi/krb5/accept_sec_context.c @@ -991,7 +991,8 @@ *output_token = token; } if (!verifier_cred_handle && cred_handle) { - krb5_gss_release_cred(minor_status, &cred_handle); + int release_minor_status; + krb5_gss_release_cred(&release_minor_status, &cred_handle); } krb5_free_context(context); return (major_status); It would be great if you could review this patch and consider to apply the it. Thank you very much in advance! Best regards, Christian