[PATCH 8/9] kerberos: Don't include GSS_C_DCE_STYLE in default gss_init_sec_context() flags.
Dmitry Timoshkov
dmitry at baikal.ru
Thu Jan 25 06:54:01 CST 2018
Dmitry Timoshkov <dmitry at baikal.ru> wrote:
> Hans Leidekker <hans at codeweavers.com> wrote:
>
> > > > Looks like gss_wrap_iov() depends on GSS_C_DCE_STYLE being provided at
> > > > the context creation time. That's weird, I can't find an explanation
> > > > that this flag is required for this API.
> > >
> > > https://web.mit.edu/kerberos/krb5-1.12/doc/appdev/gssapi.html
> > > "If the context was established using the GSS_C_DCE_STYLE flag (described
> > > in RFC 4757), wrap tokens compatible with Microsoft DCE RPC can be constructed.
> > > In this case, the IOV list must include a SIGN_ONLY buffer, a DATA buffer,
> > > a second SIGN_ONLY buffer, and a HEADER buffer in that order (the order of
> > > the buffer contents remains arbitrary). The application must pad the DATA
> > > buffer to a multiple of 16 bytes as no padding or trailer buffer is used."
> > >
> > > So the implementation of kerberos_SpSealMessage() should be fixed. Since
> > > this is your code would you mind have a look at it?
> >
> > Sure, I can take a look. Can you show me how to reproduce your failure?
>
> Just run the tester, type http://wintest2.test.local in the "Url:" field
> and press "Test" button. Make sure that you have a valid TGT in the cache.
> (I assume that SPN "HTTP/wintest2.test.local" from the log you've provided
> ealier exists on the server, otherwise you may need to list available SPNs
> on the Windows side using 'setspn -T yourdomain.com - Q */*' and find one
> starting with HTTP/ prefix).
I forgot to mention that Kerberos Tester requires 'winetricks dotnet20'
to function, it won't work with wine-mono.
--
Dmitry.
More information about the wine-devel
mailing list