From klmitch@MIT.EDU Tue Nov 12 19:08:48 1996
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA29003 for <bugs@RT-11.MIT.EDU>; Tue, 12 Nov 1996 19:08:48 -0500
Received: from STARKILLER.MIT.EDU by MIT.EDU with SMTP
id AA04830; Tue, 12 Nov 96 19:08:47 EST
Received: by starkiller.MIT.EDU (5.x/4.7) id AA24971; Tue, 12 Nov 1996 19:08:47 -0500
Message-Id: <9611130008.AA24971@starkiller.MIT.EDU>
Date: Tue, 12 Nov 1996 19:08:47 -0500
From: klmitch@MIT.EDU
Reply-To: klmitch@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: GSSAPI fails to handle forwardable credentials
X-Send-Pr-Version: 3.99
System: SunOS starkiller 5.4 Generic_101945-37 sun4m sparc
attempt to delegate credentials):
[starkiller]-[~]-> /var/klmitch/mycode/gss-test/client -d -s host starkiller this is a test
Message: this is a test
Service: host@starkiller
Host : starkiller
Port : 4444
Deleg : on
GSS-API error initializing context: Miscellaneous failure
GSS-API error initializing context: Generic error (see e-text)
[starkiller]-[~]-> /var/klmitch/mycode/gss-test/client -s host starkiller this is a test
Message: this is a test
Service: host@starkiller
Host : starkiller
Port : 4444
Deleg : off
Sending init_sec_context token (size 491)...continue needed...
(...and so on...)
all of which means that the GSSAPI fails to handle delegation of credentials.
Previously, it would forward them, but would fail to return the forwarded
credentials to the original caller (though it would set the delegation
flag).
credential delegation turned on.
State-Changed-From-To: open-analyzed
State-Changed-By: marc
State-Changed-When: Wed Nov 20 22:15:39 1996
State-Changed-Why:
If GSS_C_DELEG_FLAG was specified, but the credentials weren't
actually forwardable, then gss_init_sec_context() would fail. Now, it
will succeed, but GSS_C_DELEG_FLAG will be cleared in the output
ret_flags.
I haven't yet fixed the server to create a gss_cred_id_t with the
delegated credential, but I know what I need to do.
Kevin, since you have some test code for this, can you please see if
gss_init_sec_context() dtrt, both with forwardable (kinit -f) and
non-forwardable tickets? If you can't do this before Monday, can you
point me at the code? Thanks!
Responsible-Changed-From-To: krb5-unassigned->marc
Responsible-Changed-By: marc
Responsible-Changed-When: Wed Nov 20 22:23:32 1996
Responsible-Changed-Why:
mine now, I guess.
State-Changed-From-To: analyzed-closed
State-Changed-By: klmitch
State-Changed-When: Tue Sep 9 14:19:18 1997
State-Changed-Why:
added code to actually deal with generating a credential handle.
This will break if we start using the stuff in the "generic"
subdirectory because that stuff uses a different type of credential
handle, but the calling semantics force me to generate my own
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA29003 for <bugs@RT-11.MIT.EDU>; Tue, 12 Nov 1996 19:08:48 -0500
Received: from STARKILLER.MIT.EDU by MIT.EDU with SMTP
id AA04830; Tue, 12 Nov 96 19:08:47 EST
Received: by starkiller.MIT.EDU (5.x/4.7) id AA24971; Tue, 12 Nov 1996 19:08:47 -0500
Message-Id: <9611130008.AA24971@starkiller.MIT.EDU>
Date: Tue, 12 Nov 1996 19:08:47 -0500
From: klmitch@MIT.EDU
Reply-To: klmitch@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: GSSAPI fails to handle forwardable credentials
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 183
>Category: krb5-libs
>Synopsis: GSSAPI fails to handle forwardable credentials
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: marc
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Nov 12 19:09:00 EST 1996
>Last-Modified: Tue Sep 09 14:23:29 EDT 1997
>Originator: Kevin L Mitchell
>Organization:
mit>Category: krb5-libs
>Synopsis: GSSAPI fails to handle forwardable credentials
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: marc
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Nov 12 19:09:00 EST 1996
>Last-Modified: Tue Sep 09 14:23:29 EDT 1997
>Originator: Kevin L Mitchell
>Organization:
Show quoted text
>Release: 1.0-development
>Environment:
>Environment:
System: SunOS starkiller 5.4 Generic_101945-37 sun4m sparc
Show quoted text
>Description:
A test program I wrote does the following (the -d option tells it toattempt to delegate credentials):
[starkiller]-[~]-> /var/klmitch/mycode/gss-test/client -d -s host starkiller this is a test
Message: this is a test
Service: host@starkiller
Host : starkiller
Port : 4444
Deleg : on
GSS-API error initializing context: Miscellaneous failure
GSS-API error initializing context: Generic error (see e-text)
[starkiller]-[~]-> /var/klmitch/mycode/gss-test/client -s host starkiller this is a test
Message: this is a test
Service: host@starkiller
Host : starkiller
Port : 4444
Deleg : off
Sending init_sec_context token (size 491)...continue needed...
(...and so on...)
all of which means that the GSSAPI fails to handle delegation of credentials.
Previously, it would forward them, but would fail to return the forwarded
credentials to the original caller (though it would set the delegation
flag).
Show quoted text
>How-To-Repeat:
Perform a GSS-API init_sec_context/accept_sec_context handshake withcredential delegation turned on.
Show quoted text
>Fix:
Show quoted text
>Audit-Trail:
State-Changed-From-To: open-analyzed
State-Changed-By: marc
State-Changed-When: Wed Nov 20 22:15:39 1996
State-Changed-Why:
If GSS_C_DELEG_FLAG was specified, but the credentials weren't
actually forwardable, then gss_init_sec_context() would fail. Now, it
will succeed, but GSS_C_DELEG_FLAG will be cleared in the output
ret_flags.
I haven't yet fixed the server to create a gss_cred_id_t with the
delegated credential, but I know what I need to do.
Kevin, since you have some test code for this, can you please see if
gss_init_sec_context() dtrt, both with forwardable (kinit -f) and
non-forwardable tickets? If you can't do this before Monday, can you
point me at the code? Thanks!
Responsible-Changed-From-To: krb5-unassigned->marc
Responsible-Changed-By: marc
Responsible-Changed-When: Wed Nov 20 22:23:32 1996
Responsible-Changed-Why:
mine now, I guess.
State-Changed-From-To: analyzed-closed
State-Changed-By: klmitch
State-Changed-When: Tue Sep 9 14:19:18 1997
State-Changed-Why:
added code to actually deal with generating a credential handle.
This will break if we start using the stuff in the "generic"
subdirectory because that stuff uses a different type of credential
handle, but the calling semantics force me to generate my own
Show quoted text
>Unformatted: