#16 Must not be default mechanism
Closed 2 years ago by simo. Opened 2 years ago by scholtz.

Why does gssntlmspp has flag GSS_C_MA_NOT_DFLT_MECH ?

I have debugged this, when i built the kerberos from source code, and tracked the error "No credentials were supplied, or the credentials were unavailable or inaccessible." right to the point

g_accept_sec_context.c:
if (generic_gss_test_oid_set_member(&minor, GSS_C_MA_NOT_DFLT_MECH,
attrs, &p) != GSS_S_COMPLETE || p){
reject = 1;
}

This is correct behavior from mit krb gssapi, because this attribute means that the mechanism MUST NOT be used as default.

Why do you enforce this attribute on gssntlmssp ??

Is there any way around building the custom library without this attribute?

Please note the purpose of my action: https://stackoverflow.com/questions/60296237/how-to-debug-gssapi


This flag is used to figure out if GSSAPI can deal with a mechanism where you have not provide credentials to verify the incoming connections. GSSNTLMSSP is not expected to be used by default as it is a relatively insecure mechanism.
IE the application needs to request it explicitly.

Look at the conditions in which allow_mech_by_default() (where you got that snippet of code from) is called.
It is called when no certifier_cred_handle is provided to gss_accept_sec_context().

If you wan to use gssntlmp explicitly then all you have to do is acquire creds for your service via an API like gss_acquire_cred_from and then everything will work fine.
All you need to provide there is the expected server name.

So you really do not need to disable anything in the code, just use the API corrctly.

Metadata Update from @simo:
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata