Bug 969954
Summary: | [REGRESSION] gss_acquire_cred(GSS_C_NO_NAME) fails without kinit | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stefan Becker <chemobejk> |
Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | dwmw2, nalin, nathaniel, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-04 08:16:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stefan Becker
2013-06-03 07:22:48 UTC
Why do you think this call should succeed if you have no crdentials ? You are trying to acquire credentials, but you have none, and gss_acquire_cred is failing with an error saying you have no credentials, which is the truth as far as I understand. In 1.10, gss_acquire_cred often does not immediately try to acquire credentials, but defers the operation to the time when gss_init_sec_context() is executed. All that said, given you are not passing any specific name or option to gss_acquire_cred() you should probably simply remove the call, and use gss_init_sec_context() directly. To me this looks a a NOTABUG, unless Nalin spots something I missed. I didn't write the original code. As the code flow always worked until now, I never suspected that the gss_acquire_cred() call was pointless. I removed it from pidgin-sipe: http://repo.or.cz/w/siplcs.git/commitdiff/d19a69fe6afacf7b9fc756e077c70cb3092d1df3 I verified that this works on krb5 1.8.x, 1.10.x & 1.11.x. Thanks for pointing out the problem. Closing as NOTABUG Wait a minute. What if I have to use gss_acquire_cred() just so that I can use gss_set_neg_mechs() for SPNEGO? Surely I might have good reason to use GSS_C_NO_NAME then? Or how *else* do I set the mechanisms for it to use? Yes David, if you have a good reason to use gss_acquire_cred() by all means use it. Just do not expect it to always immediately indicate whether you have valid credntials or not, you always have to go all the way to gss_init_sec_context() to find that out. This is true now as was before, a user can always call kdestroy when your code is doing a reconnection attempt right between your call to gss_acquire_cred() and gss_init_sec_coontext() As long as it doesn't *fail*, for SPNEGO, just because I don't have Kerberos creds. I might have creds for one of the *other* mechanisms that I expect SPNEGO to fall back to... |