Ticket History #6973: error reporting made worse in gss_acquire

# Tue Oct 11 05:43:26 2011 hartmans (Sam Hartman) - Ticket created

To:	krb5-bugs@MIT.EDU
Subject:	error reporting made worse in gss_acquire_creds
Date:	Tue, 11 Oct 2011 05:43:22 -0400 (EDT)
From:	hartmans@MIT.EDU (Sam Hartman)

Download (untitled) / with headers
text/plain 268B

Hi. The patch to try all mechanisms and return success if any of them
return success produces bad error in case of failure. If you acquire
acceptor credentials with no dynamic mechanisms and with no keytab,
you get a GSS_FAILURE with no useful minor status.

--Sam

# Sun May 13 13:08:38 2012 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 1004B

Looking into this:

1. gss_acquire_cred tries all of the mechs in sequence and, if none of
them worked, returns the last major/minor status it saw. The last mech
is SPNEGO, which tries all of the other mechs and comes up with a minor
status of ERR_SPNEGO_NO_MECHS_AVAILABLE, which conveys no useful
information.

2. spnego_gss_acquire_cred has a bug where it stomps its own minor
status with a call to gss_release_oid_set(), so we don't even see the
useless error message; instead we get a minor code which maps to 0 and
gss_display_status returns the empty string.

I will fix #2 but not link it to this report, since it solves the
uninteresting part of the problem. #1 is harder; it's fundamentally
difficult to return a useful error message for "I tried a bunch of
things which I don't have a lot of specific knowledge about, and they
all failed." Returning the first major/minor code we see would probably
be more helpful for krb5 use cases, but not for Moonshot or similar use
cases.

# Mon May 14 15:28:34 2012 hartmans (Sam Hartman) - Comments added

From:	Sam Hartman <hartmans@mit.edu>
To:	rt-comment@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #6973] error reporting made worse in gss_acquire_creds
Date:	Mon, 14 May 2012 15:28:14 -0400
RT-Send-Cc:

Download (untitled) / with headers
text/plain 71B

I've read this.
I'm pondering if there's anything useful to recommend.

# Sun Jun 03 20:48:42 2012 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Sun Jun 03 20:48:42 2012 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Sun Jun 03 20:48:42 2012 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 714B

Use first mech's status in gss_acquire_cred

If we can't acquire creds for any mech in gss_acquire_cred, return the
status of the first mech instead of the last mech, as it's more useful
in the typical case (where the first mech is krb5 and the last mech is
SPNEGO). This error reporting is not ideal when the user was
expecting to use some mech other than krb5, but it's about as good as
things were prior to #6894.

https://github.com/krb5/krb5/commit/71ca96850348569a7358b32301bb0cc60eb08103
Author: Greg Hudson <ghudson@mit.edu>
Commit: 71ca96850348569a7358b32301bb0cc60eb08103
Branch: master
src/lib/gssapi/mechglue/g_acquire_cred.c | 14 +++++++++++---
1 files changed, 11 insertions(+), 3 deletions(-)

# Mon Nov 19 16:09:51 2012 tlyu (Taylor Yu) - Version_Fixed 1.11 added

# Mon Nov 19 16:12:36 2012 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

Ticket History #6973: error reporting made worse in gss_acquire_creds