GSSAPI NTLM mechanism doesn't report missing credentials on context initation
| Originator: | asanka | ||
| Number: | rdar://12952893 | Date Originated: | 03-Jan-2013 05:18 PM |
| Status: | Duplicate/12856260 | Resolved: | 08-Jan-2013 07:37 PM |
| Product: | Mac OS X | Product Version: | 10.7 |
| Classification: | Bug | Reproducible: | Always |
Summary: Initial gss_init_sec_context() call succeeds even when there are no credentials when using Heimdal GSSAPI with NTLM mechanism. This has the side-effect of causing the SPNEGO mechanism to use NTLM as the preferred mechanism when no credentials are present. However, a context cannot be established successfully since the second gss_init_sec_context() call fails. Steps to Reproduce: 1. Verify no credentials are present that can be used by any GSSAPI mechanism. E.g.: Running '/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/gsstool list' yields no credentials. 2. Call gss_init_sec_context() with initiator credential set to GSS_C_NO_CREDENTIAL and using either GSS_SPNEGO_MECHANISM or GSS_NTLM_MECHANISM as the mechanism. Expected Results: Returns GSS_S_NO_CRED. Actual Results: Returns GSS_S_CONTINUE_NEEDED. Regression: N/A. Notes: Clients that use GSSAPI on Mac OS X may falsely start initiating an authentication context with a server when no credentials are present.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Marked as duplicate of 12856260