+ if (cfg->basic_mechs) {
+ allowed_mechs = cfg->basic_mechs;
+ } else if (cfg->allowed_mechs) {
+ allowed_mechs = cfg->allowed_mechs;
+ } else {
+ struct mag_server_config *scfg;
+ /* Try to fetch the default set if not explicitly configured,
+ * We need to do this because gss_acquire_cred_with_password()
+ * is currently limited to acquire creds for a single "default"
+ * mechanism if no desired mechanisms are passed in. This causes
+ * authentication to fail for secondary mechanisms as no user
+ * credentials are generated for those. */
+ scfg = ap_get_module_config(req->server->module_config,
+ &auth_gssapi_module);
+ /* In the worst case scenario default_mechs equals to GSS_C_NO_OID_SET.
+ * This generally causes only the krb5 mechanism to be tried due
+ * to implementation constraints, but may change in future. */
+ allowed_mechs = scfg->default_mechs;
+ }
+
+ /* Remove Spnego if present, or we'd repeat failed authentiations
+ * multiple times, one within Spnego and then again with an explicit
+ * mechanism. We would normally just force Spnego and use
+ * gss_set_neg_mechs, but due to the way we source the server name
+ * and the fact MIT up to 1.14 at least does no handle union names,
+ * we can't provide spnego with a server name that can be used by
+ * multiple mechanisms, causing any but the first mechanism to fail.
+ * Also remove unwanted krb mechs, or AS requests will be repeated
+ * multiple times uselessly.
+ */
+ filtered_mechs = mag_filter_unwanted_mechs(allowed_mechs);
+ if (filtered_mechs == allowed_mechs) {
+ /* in case filtered_mechs was not allocated here don't free it */
+ filtered_mechs = GSS_C_NO_OID_SET;
+ } else if (filtered_mechs == GSS_C_NO_OID_SET) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "Fatal "
+ "failure while filtering mechs, aborting");
+ goto done;
+ } else {
+ /* use the filtered list */
+ allowed_mechs = filtered_mechs;
+ }
+
+#ifdef HAVE_GSS_KRB5_CCACHE_NAME
+ /* If we are using the krb5 mechanism make sure to set a per thread
+ * memory ccache so that there can't be interferences between threads.
+ * Also make sure we have new cache so no cached results end up being
+ * used. Some implementations of gss_acquire_cred_with_password() do
+ * not reacquire creds if cached ones are around, failing to check
+ * again for the password. */
+ maj = gss_test_oid_set_member(&min, discard_const(gss_mech_krb5),
+ allowed_mechs, &present);