My mistake. The error is from * gss_inquire_context(&min_stat, state->context, &gssuser, NULL, NULL, NULL, NULL, NULL, NULL);* post call to * gss_init_sec_context*. Can I still call this function post gss_init_sec_context with delegate handle?
-----Original Message----- From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of Xie, Hugh Sent: Wednesday, October 08, 2014 5:23 PM To: Greg Hudson; Kerberos@mit.edu Subject: RE: Not getting delegation credential from gss_accept_sec_context() That was what I did. Both context_handle for *gss_accept_sec_context()* and then * gss_init_sec_context* were initialized to GSS_C_NO_CONTEXT and the address of &context_handle are passed to these functions. I am getting error " No context has been established" and " Attempt to use incomplete security context" for minor when I call gss_init_sec_context with delegated_cred_handle from gss_accept_sec_context. I do not get this error if I do not pass delegated_cred_handle. -----Original Message----- From: Greg Hudson [mailto:ghud...@mit.edu] Sent: Wednesday, October 08, 2014 5:10 PM To: Xie, Hugh; Kerberos@mit.edu Subject: Re: Not getting delegation credential from gss_accept_sec_context() On 10/08/2014 03:41 PM, Xie, Hugh wrote: > After switching version 1.12.2, as a follow up question to the next step of > S4U2Proxy. > > I passed the delegated_cred_handle from *gss_accept_sec_context()* to > *gss_init_sec_context*. I got a "No context has been established" error since > the context_handle is reinitialized to GSS_C_NO_CONTEXT. This is not a > problem when I am not using delegated_cred_handle. When I attempt to pass the > same context handle from gss_accept_sec_context(), I got a segmentation error. > > Can you tell me what context_handle to use? Just as when you initially call gss_accept_sec_context, you need to pass the address of a gss_ctx_id_t variable which was initialized to GSS_C_NO_CONTEXT. If you pass NULL, you will get the error you mentioned. Reusing the acceptor context is incorrect usage; there ought to be a safety check so that it results in an error instead of a seg fault, but there might not be. I will file a ticket if I can reproduce the issue. ---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos