Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 7A3525CA4C; Fri, 19 Jun 2015 16:19:25 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id t5JKJMVA023079; Fri, 19 Jun 2015 16:19:22 -0400 Received: from mailhub-dmz-3.mit.edu (mailhub-dmz-3.mit.edu [18.9.21.42]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id t5JKJJ6K023076 for ; Fri, 19 Jun 2015 16:19:19 -0400 Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) by mailhub-dmz-3.mit.edu (8.13.8/8.9.2) with ESMTP id t5JKJ8cx023225 for ; Fri, 19 Jun 2015 16:19:19 -0400 X-Auditid: 12074425-f799a6d000007db3-84-558479464123 Authentication-Results: symauth.service.identifier; spf=pass; senderid=pass Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 51.71.32179.64974855; Fri, 19 Jun 2015 16:19:18 -0400 (EDT) Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (Postfix) with ESMTPS id C36E9A0CDF for ; Fri, 19 Jun 2015 20:19:17 +0000 (UTC) Received: from [10.3.113.174] (ovpn-113-174.phx2.redhat.com [10.3.113.174]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t5JKJH9B020234 for ; Fri, 19 Jun 2015 16:19:17 -0400 Message-ID: <1434745156.2716.120.camel@willson.usersys.redhat.com> Subject: Name handling does not conform to RFC2744 From: Simo Sorce To: krb5-bugs Date: Fri, 19 Jun 2015 16:19:16 -0400 Organization: Red Hat, Inc. Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Scanned-BY: MIMEDefang 2.68 on 10.5.11.27 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprKKsWRWlGSWpSXmKPExsVysWW7jK5bZUuowftfVhYND4+zOzB6NJ05 yhzAGMVlk5Kak1mWWqRvl8CV0XhqPXtBP3fFy3O/WBoYX3F0MXJySAiYSLz/1c0IYjMKeEu8 uXqcHSIuJnHh3nq2LkYuDiGBtUwSf3uOsUM4rxglVv5eB5V5xCjxs+8nWDuvgJPE+Tu3mEFs YQEjiUfLrwLFOTjYBJQkGhZGgIRFBBQluv/uYAGxWQRUJf6encUMUsIvIC3RtlAWJMwsoCnR uv03O0iYV0BQ4u8OYYiwvMT2t3OYIW7Tljjb8It9AqPALCQdsxA6ZiHpWMDIvIpRNiW3Sjc3 MTOnODVZtzg5MS8vtUjXQi83s0QvNaV0EyMwHIXYXVR3ME44pHSIUYCDUYmH1/Bbc6gQa2JZ cWXuIUZJDiYlUd5FWS2hQnxJ+SmVGYnFGfFFpTmpxYcYJTiYlUR4b0YA5XhTEiurUovyYVLS HCxK4rybfvCFCAmkJ5akZqemFqQWwWSZONgPMcpwcChJ8D4pB+oWLEpNT61Iy8wpQVbDCSK4 QNbwAK2RqwBZU1yQmFucmQ5RdIpRl2Pb3IdrmYRY8vLzUqXEed+DTBMAKcoozYMbBkstlxhl pYR5GRkYGIR4gK4BBgKq/CtGcWAACPPagqziycwrgdsEjHpgOIjwTihvAjmiJBEhJdXAyMn/ 4r0tT6Mlh3PN/M/yy6LdHVfpyR6QeLRJ8zYf7/+mdamzol3qXDjPt6U8ilfR6JDRfrKyk4X/ 6droaPPOd9UpeRzePp0vbwaLZvzkSNGfzbYsXHrbepFKVhebgklxbVMTb52dnRFVllPBP6Fg 0g6GsKqHARfEP36+L6q/00x8oepsh51KLMUZiYZazEXFiQCAUmGfKAMAAA== X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu Content-Length: 1391 In RFC2744 3.10 it says: "A single gss_name_t object may contain multiple names from different namespaces, but all names should refer to the same entity. An example of such an internal name would be the name returned from a call to the gss_inquire_cred routine, when applied to a credential containing credential elements for multiple authentication mechanisms employing different namespaces." I found myself in exactly this situation (using gss_inquire_cred) and currently libgssapi fails to handle the request appropriately. In my code I am using gss_acquire_cred() with usage GSS_C_ACCEPT in order to get a "server" name to be used. In my configuration I have 2 mechanism that have valid server credentials, however only the first mechanism name is returned when I call gss_inquire_cred(). Later on I use this "server" name as input for gss_init_sec_context() which is used in a loop with gss_accept_sec_context() in order to validate user credentials obtained via gss_acquire_cred_with_password() If the credentials being tested are valid only for the second mechanism (using SPNEGO to negotiate a valid mechanism for example) then the second mechanism fail to work, as the name used is valid only for the first mechanism. A gss_union_name_t will need to be introduced to fix this problem. Simo. -- Simo Sorce * Red Hat, Inc * New York