Skip Menu |
 

Subject: [Urgent] A bug in Kerberos V5 API "gss_acquire_cred"
From: "Yu Hong JM Ma" <myubj@cn.ibm.com>
To: krb5-bugs@mit.edu
Date: Tue, 15 Mar 2016 03:49:40 +0000
Dear Kerberos V5 specialist:
 
When I was using krb5_1.10, I encounterd following issue:
 
For API gss_acquire_cred, 
 
OM_uint32 KRB5_CALLCONV
gss_acquire_cred(minor_status,
                 desired_name,
                 time_req,
                 desired_mechs,
                 cred_usage,
                 output_cred_handle,
                 actual_mechs,
                 time_rec)
if I set the desired_mechs to "GSS_C_NO_OID_SET", the minor status code returned will be for kerberos mech "spnego". This is because the API gss_acquire_cred will call gss_add_cred, and only record the last loop's major and minor code.
 
With the major and minor code returned from this gss_acquire_cred(), I can't obtain the correct error message with error code returned from mech spnego.
 
However, from GSS user mannual, if see if I set GSS_C_NO_OID_SET, the code will choose a default mechanism for me (kerberos V5).
Could you please help clarity this bug, and make end uses get correct major and minor code? Since if I pass the minor code "10004" (returned from gss_acquire_cred) into API gss_display_status, I will get no error message.
 
Best Regards,

Ma Yuhong 
Platform Symphony, CSTL IBM System & Technology Group, Development
Email: myubj@cn.ibm.com

The bug where gss_acquire_cred() returns the status code of the final
mech was fixed in release 1.11 (ticket #6973). The fix might be easily
backportable to 1.10:

https://github.com/krb5/krb5/commit/71ca96850348569a7358b32301bb0cc60eb
08103

There are two bugs affecting SPNEGO's ability to display
gss_acquire_cred() errors, which were fixed in releases 1.11 (no
ticket) and 1.12.1 (ticket #7045). These fixes are not as easily
backported, but you might not need them.

Release 1.10 is no longer supported, as we only support releases for
two years. We also cannot promise urgent support.