gss_init_sec_context() with input_cred_handle != GSS_C_NO_CREDENTIAL
should NOT proceed if there is no element in the given credential for
the requested mechanism.
It isn't possible to use non-default credentials to init a context with
a mechanism for which the credential doesn't have an element. That's
exactly what was happening here. The code was left commented out to
describe how one might use SPNEGO with delegated credentials:
store them with gss_store_cred(), then acquire them back.
This is needed so that the NTLM GSS mechanism can have a meaningful
concept of default credential (the NTLM key for the default domain found
in the ccache).
Instead of hard coding 10 hours as the default ticket lifetime within
lib/krb5/init_cred_pw.c init_cred(), add a preprocessor macro,
KRB5_TKT_LIFETIME_DEFAULT, that can be overridden at build time.
The value of KRB5_TKT_LIFETIME_DEFAULT is 10 hours if not previously
defined.
Change-Id: I63e729fedee8e8c6f542e4a4665de5f40db34c03
Bugs exposed by 61720a0:
- test_context --client-name=... --mech-type=ntlm ... fails;
- gss_acquire_cred() with desired_mech=NTLM and
desired_name==GSS_C_NO_NAME fails;
- gss_init_sec_context() with non-default cred handle calls the
mechanism even when the given cred handle has no element for the
requencet mechanism.
tests/gss/check-ntlm works by accident: gss_acquire_cred() with
desired_mechs==GSS_C_NO_OID_SET succeeds mostly because there are
Kerberos credentials available, and then the subsequent
gss_init_sec_context() call works because of the third bug described
above.
Solaris'/Illumos' gss_acquire_cred_with_password() does not have
side-effects. MIT and Heimdal have differed, but it's now agreed that
the Solaris/Illumos behavior is correct.
To make a credential obained with gss_acquire_cred_with_password()
available to other processes, use gss_store_cred().
In at least two instances the krb5 cred handle expiration time was misused
as a remaining lifetime. This is not surprising since the field name is
wrong ("lifetime" not "expiration"). This commit fixes the code, the next
commit will rename the field and change its type from OM_uint32 to time_t.
When looking for a ticket, use the capath codepath first when we know
the service's realm: because we might have local policy as to how to get
there.
Then, if that doesn't work, try referrals. (For now unconditionally.)
