From: | Arlene Berry <aberry@likewise.com> |
To: | "krb5-bugs@mit.edu" <krb5-bugs@mit.edu> |
Subject: | gss_acquire_cred_impersonate_name mechanism selection |
Date: | Wed, 17 Aug 2011 17:14:43 +0000 |
In src/lib/gssapi/mechglue/g_acquire_cred_imp_name, if desired_mechs isn’t provided, gss_acquire_cred_impersonate_name ignores the impersonator_cred_handle and defaults to the first mechanism in the default list. It would be better to call gss_inquire_cred on the impersonator credential and use that since what the impersonator credential supports is going to determine what credentials you can obtain. For example, I have an impersonator credential for spnego but unless I also set desired_mechs to spnego, it’s only going to try krb5 which will fail because the impersonator credential doesn’t contain a credential for krb5 (except inside the spnego credential which it won’t see). If it tried the mechanism which the impersonator credential supports, i.e. spnego, then it ought to work since spnego supports gss_acquire_cred_impersonate_name.