Not getting delegation credential from gss_accept_sec_context()
Xie, Hugh
hugh.xie at bankofamerica.com
Wed Oct 8 17:45:45 EDT 2014
My mistake. The error is from * gss_inquire_context(&min_stat, state->context, &gssuser, NULL, NULL, NULL, NULL, NULL, NULL);* post call to * gss_init_sec_context*. Can I still call this function post gss_init_sec_context with delegate handle?
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Xie, Hugh
Sent: Wednesday, October 08, 2014 5:23 PM
To: Greg Hudson; Kerberos at mit.edu
Subject: RE: Not getting delegation credential from gss_accept_sec_context()
That was what I did. Both context_handle for *gss_accept_sec_context()* and then * gss_init_sec_context* were initialized to GSS_C_NO_CONTEXT and the address of &context_handle are passed to these functions. I am getting error " No context has been established" and " Attempt to use incomplete security context" for minor when I call gss_init_sec_context with delegated_cred_handle from gss_accept_sec_context. I do not get this error if I do not pass delegated_cred_handle.
-----Original Message-----
From: Greg Hudson [mailto:ghudson at mit.edu]
Sent: Wednesday, October 08, 2014 5:10 PM
To: Xie, Hugh; Kerberos at mit.edu
Subject: Re: Not getting delegation credential from gss_accept_sec_context()
On 10/08/2014 03:41 PM, Xie, Hugh wrote:
> After switching version 1.12.2, as a follow up question to the next step of S4U2Proxy.
>
> I passed the delegated_cred_handle from *gss_accept_sec_context()* to *gss_init_sec_context*. I got a "No context has been established" error since the context_handle is reinitialized to GSS_C_NO_CONTEXT. This is not a problem when I am not using delegated_cred_handle. When I attempt to pass the same context handle from gss_accept_sec_context(), I got a segmentation error.
>
> Can you tell me what context_handle to use?
Just as when you initially call gss_accept_sec_context, you need to pass the address of a gss_ctx_id_t variable which was initialized to GSS_C_NO_CONTEXT. If you pass NULL, you will get the error you mentioned.
Reusing the acceptor context is incorrect usage; there ought to be a safety check so that it results in an error instead of a seg fault, but there might not be. I will file a ticket if I can reproduce the issue.
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman-mit-edu.ezproxyberklee.flo.org/mailman/listinfo/kerberos
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
More information about the Kerberos
mailing list