1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • Should gss_get_name_attribute() dump the values of auth-indicators?

    From Machin, Glenn Douglas@21:1/5 to Machin, Glenn Douglas via Kerberos on Thu Oct 13 15:20:54 2022
    Should gss_get_name_attribute() dump the values of auth-indicators? I verified that the auth-indicators is set correctly by also setting require_auth on the SPN. When not using OTP I cannot obtain the service ticket but when using an otp I can.



    I have run this on both 1.15 and 1.18 with the same results. Below is a code snippet of what I used, including the gssapi test routine dump_attribute(). It shows in gss_inquire_name() the auth-indicator as a value, but gss_get_name_attribute() indicates
    that operation is not available or is unsupported.



    Should I be getting the values of auth-indicator?



    Thanks,



    Glenn







    serv_maj_stat = gss_accept_sec_context(&acc_sec_min_stat, &context,

    GSS_C_NO_CREDENTIAL, &send_tok,

    GSS_C_NO_CHANNEL_BINDINGS,

    &client, &doid, &recv_tok,

    &ret_flags,

    NULL, /* time_rec */

    NULL); /* del_cred_handle */




    maj_stat = gss_inquire_name( &min_stat, client, &is_mech_name, &mech, &attrs);
    if (maj_stat != GSS_S_COMPLETE) {
    display_status("gss_inquire_name", maj_stat, min_stat);
    } else {
    int i = 0;
    struct gss_buffer_desc_struct thisattr;
    if (attrs && attrs->count > 0){
    for (i = 0; i < attrs->count; i++){
    thisattr = attrs->elements[i];
    printf("Attr[%d] of %d:%s\n",i,attrs->count,thisattr.value);
    }
    }
    }





    name_buf.value = "auth-indicators";

    name_buf.length = strlen(name_buf.value) + 1;

    maj_stat = gss_import_name(&min_stat, &name_buf,

    (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &input_name);

    authenticated = 0;

    complete = 0;

    noisy = 0;

    more = -1;

    dump_attribute(client, &name_buf, noisy);



    What I get from gss_inquire_nameis:



    Attr[0] of 1:auth-indicators





    What I get from dump_attribute which calls gss_get_name_attribute is:



    Looking for attribute auth-indicators

    gss_get_name_attribute: The operation or option is not available or unsupported

    gss_get_name_attribute: No such file or directory









    (gdb) print (char *) attrs->elements[0]->value

    $6 = 0x629ab0 "auth-indicators"



    (gdb) print attrs->count

    $8 = 1

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Machin, Glenn Douglas@21:1/5 to Machin, Glenn Douglas via Kerberos on Thu Oct 13 22:27:31 2022
    Never mind it works. It was the line:
    name_buf.length = strlen(name_buf.value) + 1;

    Should be:
    name_buf.length = strlen(name_buf.value);

    Glenn


    From: Kerberos <kerberos-bounces@mit.edu> on behalf of Machin, Glenn Douglas via Kerberos <kerberos@mit.edu>
    Date: Thursday, October 13, 2022 at 9:34 AM
    To: Machin, Glenn Douglas via Kerberos <kerberos@mit.edu>
    Subject: Should gss_get_name_attribute() dump the values of auth-indicators?


    Should gss_get_name_attribute() dump the values of auth-indicators? I verified that the auth-indicators is set correctly by also setting require_auth on the SPN. When not using OTP I cannot obtain the service ticket but when using an otp I can.



    I have run this on both 1.15 and 1.18 with the same results. Below is a code snippet of what I used, including the gssapi test routine dump_attribute(). It shows in gss_inquire_name() the auth-indicator as a value, but gss_get_name_attribute() indicates
    that operation is not available or is unsupported.



    Should I be getting the values of auth-indicator?



    Thanks,



    Glenn







    serv_maj_stat = gss_accept_sec_context(&acc_sec_min_stat, &context,

    GSS_C_NO_CREDENTIAL, &send_tok,

    GSS_C_NO_CHANNEL_BINDINGS,

    &client, &doid, &recv_tok,

    &ret_flags,

    NULL, /* time_rec */

    NULL); /* del_cred_handle */




    maj_stat = gss_inquire_name( &min_stat, client, &is_mech_name, &mech, &attrs);
    if (maj_stat != GSS_S_COMPLETE) {
    display_status("gss_inquire_name", maj_stat, min_stat);
    } else {
    int i = 0;
    struct gss_buffer_desc_struct thisattr;
    if (attrs && attrs->count > 0){
    for (i = 0; i < attrs->count; i++){
    thisattr = attrs->elements[i];
    printf("Attr[%d] of %d:%s\n",i,attrs->count,thisattr.value);
    }
    }
    }





    name_buf.value = "auth-indicators";

    name_buf.length = strlen(name_buf.value) + 1;

    maj_stat = gss_import_name(&min_stat, &name_buf,

    (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME, &input_name);

    authenticated = 0;

    complete = 0;

    noisy = 0;

    more = -1;

    dump_attribute(client, &name_buf, noisy);



    What I get from gss_inquire_nameis:



    Attr[0] of 1:auth-indicators





    What I get from dump_attribute which calls gss_get_name_attribute is:



    Looking for attribute auth-indicators

    gss_get_name_attribute: The operation or option is not available or unsupported

    gss_get_name_attribute: No such file or directory









    (gdb) print (char *) attrs->elements[0]->value

    $6 = 0x629ab0 "auth-indicators"



    (gdb) print attrs->count

    $8 = 1

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu https://urldefense.us/v3/__https://mailman.mit.edu/mailman/listinfo/kerberos__;!!G2kpM7uM-TzIFchu!ghFrJnWiesMwp4rG1zFRL5nQMhdQiy66A4VJp-dHuhAsEUoVGkMlQJyB-M3UcTBx$<https://urldefense.us/v3/__https:/mailman.mit.edu/mailman/listinfo/kerberos__;!!G2kpM7uM-
    TzIFchu!ghFrJnWiesMwp4rG1zFRL5nQMhdQiy66A4VJp-dHuhAsEUoVGkMlQJyB-M3UcTBx$>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)