Package: libkrb53 Version: 1.6.dfsg.3~beta1-4 Severity: normal Tags: patch When trying to delegate credentials using mod_auth_kerb, delegation succeeds (mod_auth_kerb receives a delegated gss_cred_id_t), but when it tries to copy that credential into a ccache so it can write it out for CGI scripts to use later, the copy fails.
The copy fails because gss_krb5_copy_ccache (the function being used) is trying to find a credential from the passed-in gss_union_cred_t whose mechanism OID is either krb5_mechanism, or krb5_mechanism_old. But the gss_union_cred_t returned to mod_auth_kerb uses the SPNEGO mechanism OID (since the browser used SPNEGO), which doesn't match either of those. The gss_krb5_copy_ccache function only needs to set "mcred" to one or the other of the Kerberos mechanism credential handles; if the top level gss_union_cred_t uses SPNEGO, then it should contain a sub-credential that uses one of the Kerberos mechanisms. So one fix would be to make gssint_get_mechanism_cred recurse when it receives an SPNEGO-mechanism union_cred, and SPNEGO is not what was asked for. It needs to get a reference to the SPNEGO mechanism OID, of course, but the spnego_gss_get_mech_configs() function provides this. So if the current mechs_array element doesn't match the passed-in mech_type, but does match spnego_mech, then call back into gssint_get_mechanism_cred with the current cred_array element (cast to a gss_union_cred_t), and see if any of its sub-credentials match. If not, keep running through the loop. If so, return the one that does match. Attached is a proposed patch to do exactly that (generated from a libkrb53 tree that already has all the other Debian patches applied). *** krb5-get_mechanism_cred-recurse-on-spnego.patch Make gssint_get_mechanism_cred recurse if it finds a mechs_array item that matches the SPNEGO OID, but not the OID that it's looking for. (SPNEGO credentials might contain the needed OID.) If a sub-cred is found that matches, return it; otherwise keep looping. diff -ur a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c --- a/src/lib/gssapi/mechglue/g_glue.c 2007-10-01 22:43:12.000000000 -0400 +++ b/src/lib/gssapi/mechglue/g_glue.c 2008-05-09 13:54:29.000000000 -0400 @@ -519,6 +519,8 @@ return (major_status); } +extern gss_mechanism *spnego_gss_get_mech_configs(void); + /* * Glue routine for returning the mechanism-specific credential from a * external union credential. @@ -529,6 +531,7 @@ gss_OID mech_type; { int i; + gss_OID spnego_mech = &(spnego_gss_get_mech_configs()[0]->mech_type); if (union_cred == GSS_C_NO_CREDENTIAL) return GSS_C_NO_CREDENTIAL; @@ -536,6 +539,18 @@ for (i=0; i < union_cred->count; i++) { if (g_OID_equal(mech_type, &union_cred->mechs_array[i])) return union_cred->cred_array[i]; + + /* for SPNEGO, check the next-lower set of creds */ + if (g_OID_equal(spnego_mech, &union_cred->mechs_array[i])) { + gss_union_cred_t candidate_cred; + gss_cred_id_t sub_cred; + + candidate_cred = (gss_union_cred_t)union_cred->cred_array[i]; + sub_cred = gssint_get_mechanism_cred(candidate_cred, mech_type); + + if(sub_cred != GSS_C_NO_CREDENTIAL) + return sub_cred; + } } return GSS_C_NO_CREDENTIAL; } -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libkrb53 depends on: ii libc6 2.7-10 GNU C Library: Shared libraries ii libcomerr2 1.40.8-2 common error description library ii libkeyutils1 1.2-7 Linux Key Management Utilities (li libkrb53 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]