Love Hörnquist Åstrand
Thu, 08 Feb 2007 22:23:00 -0800
The issue was that trying to acquire a credential could result in a redundant AS-REQ. It turned out to be lib/mechglue/g_acquire_cred.c:gss_acquire_cred was looping over all mechanisms. The problem was that with SPNEGO it did KRB5 twice, once for KRB5 mech and once through SPNEGO mech calling KRB5.I added a clause that checked for &mech->mech_type == GSS_SPNEGO_MECHANISMto skip that mech (unless it was explicitly specified). Please consider this condition wrt the new mechglue code if necessary.
After a fast read though of the code it looks like this could still happen
in the new mech-glue code. This is the second issue with gssapi mech-glue layer hides too much from SPNEGO. I need figure out the implications of this (split or merged mech-glue/SPNEGO). Love