[CDRIVER-658] GSSAPI Authentication implementation is broken and does not work Created: 15/May/15  Updated: 05/Jun/15  Resolved: 18/May/15

Status: Closed
Project: C Driver
Component/s: auth, libmongoc
Affects Version/s: None
Fix Version/s: 1.1.6

Type: Bug Priority: Blocker - P1
Reporter: Anil Kumar Assignee: A. Jesse Jiryu Davis
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related

 Description   

The GSSAPI auth mechanism does not seem to be working in the intended manner. Looks like the code at https://github.com/mongodb/mongo-c-driver/blob/master/src/mongoc/mongoc-sasl.c#L303-L310 seem to be breaking for the step = 0. This condition seems to be valid only for sasl step 1 onwards when the inbuflen should not be 0.

 if (!sasl->step && !*outbuflen) {
      bson_set_error (error,
                      MONGOC_ERROR_SASL,
                      MONGOC_ERROR_CLIENT_AUTHENTICATE,
                      "SASL Failure: no data received from SASL request. "
                      "Does server have SASL support enabled?");
      return false;
   }

should rather be:

 if (sasl->step && !inbuflen) {
      bson_set_error (error,
                      MONGOC_ERROR_SASL,
                      MONGOC_ERROR_CLIENT_AUTHENTICATE,
                      "SASL Failure: no data received from SASL request. "
                      "Does server have SASL support enabled?");
      return false;
   }



 Comments   
Comment by Githook User [ 18/May/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-658 fix GSSAPI / Kerberos

The helpful error message code was wrong and unconditionally aborted
GSSAPI conversations before they began. Even with the condition fixed,
that path isn't hit when trying to connect to a server that doesn't
support GSSAPI, so I'm just removing the code.
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/5f40338b5d328ee70fa6f0e8e03b387f902d4ffd

Comment by A. Jesse Jiryu Davis [ 18/May/15 ]

With the fix in place, auth works normally. If the server doesn't support SASL the error message is still useless: "SASL Failure: (-1): generic failure". So I'm just going to remove the buggy code.

Generated at Wed Feb 07 21:10:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.