Re: Does this happen in the new mechglue too?
The issue was that trying to acquire a credential could result in a redundant AS-REQ. It turned out to be lib/mechglue/g_acquire_cred.c:gss_acquire_cred was looping over all mechanisms. The problem was that with SPNEGO it did KRB5 twice, once for KRB5 mech and once through SPNEGO mech calling KRB5. I added a clause that checked for mech-mech_type == GSS_SPNEGO_MECHANISM to skip that mech (unless it was explicitly specified). Please consider this condition wrt the new mechglue code if necessary. After a fast read though of the code it looks like this could still happen in the new mech-glue code. This is the second issue with gssapi mech-glue layer hides too much from SPNEGO. I need figure out the implications of this (split or merged mech-glue/SPNEGO). Love
Does this happen in the new mechglue too?
Unfortunately I'm still using mechglue-branch at the moment. I have found numerous bugs that I'm sure you don't care about anymore but there was one issue that could conceivably exist in the new code. The issue was that trying to acquire a credential could result in a redundant AS-REQ. It turned out to be lib/mechglue/g_acquire_cred.c:gss_acquire_cred was looping over all mechanisms. The problem was that with SPNEGO it did KRB5 twice, once for KRB5 mech and once through SPNEGO mech calling KRB5. I added a clause that checked for mech-mech_type == GSS_SPNEGO_MECHANISM to skip that mech (unless it was explicitly specified). Please consider this condition wrt the new mechglue code if necessary. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/