Branch: refs/heads/main Home: https://github.com/gssapi/gssproxy Commit: 5ba3c4cf173824ec61db2886ef2c6b654a1e54be https://github.com/gssapi/gssproxy/commit/5ba3c4cf173824ec61db2886ef2c6b654a... Author: Michael Weiser michael.weiser@atos.net Date: 2021-01-12 (Tue, 12 Jan 2021)

Changed paths: M src/gp_creds.c

Log Message: ----------- Handle impersonation of oneself

When trying to impersonate the user which has been selected as impersonation credential, MIT krb5 returns error:

GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 2529638928 "Unspecified GSS failure. Minor code may provide more information" "KDC has no support for padata type" [ ] } output_cred_handle: <Null> )

An attempt to impersonate oneself is not allowed. Also, it is likely not even necessary: If we can get impersonation credentials from credstores, we can at least try to short circuit and get actual user credentials the same way.

With this patch it becomes possible to delegate the acquisition of e.g. cifs mount credentials from cifs.upcall into gssproxy and use the host identity (e.g. HOSTNAME$@REALM of AD) while it is also being selected as impersonation credential due to the order of keys in the keytab.

Signed-off-by: Michael Weiser michael.weiser@atos.net