X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=e1ecc36562048282138a11e2bdb7a45e19fc9d3c;hp=d351777374922d008041caf64aff09363a8d0438;hb=6e4513dc0ebe5ff6643223d35b509464d451b230;hpb=c1b6fcaea24a51a235f62a7bb03767a120b24872 diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index d351777..e1ecc36 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -24,6 +24,10 @@ #include "mod_auth_gssapi.h" +const gss_OID_desc gss_mech_spnego = { + 6, "\x2b\x06\x01\x05\x05\x02" +}; + const gss_OID_desc gss_mech_ntlmssp = { GSS_NTLMSSP_OID_LENGTH, GSS_NTLMSSP_OID_STRING }; @@ -96,9 +100,7 @@ static int mag_pre_connection(conn_rec *c, void *csd) { struct mag_conn *mc; - mc = apr_pcalloc(c->pool, sizeof(struct mag_conn)); - - mc->parent = c->pool; + mc = mag_new_conn_ctx(c->pool); ap_set_module_config(c->conn_config, &auth_gssapi_module, (void*)mc); return OK; } @@ -110,11 +112,35 @@ static apr_status_t mag_conn_destroy(void *ptr) if (mc->ctx) { (void)gss_delete_sec_context(&min, &mc->ctx, GSS_C_NO_BUFFER); - mc->established = false; } return APR_SUCCESS; } +struct mag_conn *mag_new_conn_ctx(apr_pool_t *pool) +{ + struct mag_conn *mc; + + mc = apr_pcalloc(pool, sizeof(struct mag_conn)); + apr_pool_create(&mc->pool, pool); + /* register the context in the memory pool, so it can be freed + * when the connection/request is terminated */ + apr_pool_cleanup_register(mc->pool, (void *)mc, + mag_conn_destroy, apr_pool_cleanup_null); + + return mc; +} + +static void mag_conn_clear(struct mag_conn *mc) +{ + (void)mag_conn_destroy(mc); + apr_pool_t *temp; + + apr_pool_clear(mc->pool); + temp = mc->pool; + memset(mc, 0, sizeof(struct mag_conn)); + mc->pool = temp; +} + static bool mag_conn_is_https(conn_rec *c) { if (mag_is_https) { @@ -191,33 +217,54 @@ static char *escape(apr_pool_t *pool, const char *name, return escaped; } -static void mag_store_deleg_creds(request_rec *req, - char *dir, char *clientname, - gss_cred_id_t delegated_cred, - char **ccachefile) +static char *mag_gss_name_to_ccache_name(request_rec *req, + char *dir, const char *gss_name) { - gss_key_value_element_desc element; - gss_key_value_set_desc store; - char *value; - uint32_t maj, min; char *escaped; /* We need to escape away '/', we can't have path separators in * a ccache file name */ /* first double escape the esacping char (~) if any */ - escaped = escape(req->pool, clientname, '~', "~~"); - if (!escaped) return; + escaped = escape(req->pool, gss_name, '~', "~~"); /* then escape away the separator (/) if any */ escaped = escape(req->pool, escaped, '/', "~"); - if (!escaped) return; - value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped); + return apr_psprintf(req->pool, "%s/%s", dir, escaped); +} + +static void mag_set_KRB5CCANME(request_rec *req, char *ccname) +{ + apr_status_t status; + apr_finfo_t finfo; + char *value; + status = apr_stat(&finfo, ccname, APR_FINFO_MIN, req->pool); + if (status != APR_SUCCESS && status != APR_INCOMPLETE) { + /* set the file cache anyway, but warn */ + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + "KRB5CCNAME file (%s) lookup failed!", ccname); + } + + value = apr_psprintf(req->pool, "FILE:%s", ccname); + apr_table_set(req->subprocess_env, "KRB5CCNAME", value); +} + +static void mag_store_deleg_creds(request_rec *req, + char *dir, char *clientname, + gss_cred_id_t delegated_cred, + char **ccachefile) +{ + gss_key_value_element_desc element; + gss_key_value_set_desc store; + char *ccname; + uint32_t maj, min; element.key = "ccache"; - element.value = value; store.elements = &element; store.count = 1; + ccname = mag_gss_name_to_ccache_name(req, dir, clientname); + element.value = apr_psprintf(req->pool, "FILE:%s", ccname); + maj = gss_store_cred_into(&min, delegated_cred, GSS_C_INITIATE, GSS_C_NULL_OID, 1, 1, &store, NULL, NULL); if (GSS_ERROR(maj)) { @@ -226,7 +273,7 @@ static void mag_store_deleg_creds(request_rec *req, maj, min)); } - *ccachefile = value; + *ccachefile = ccname; } #endif @@ -267,6 +314,180 @@ const char *auth_types[] = { NULL }; +static void mag_set_req_data(request_rec *req, + struct mag_config *cfg, + struct mag_conn *mc) +{ + apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name); + apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", + apr_psprintf(req->pool, + "%ld", (long)mc->expiration)); + req->ap_auth_type = apr_pstrdup(req->pool, + auth_types[mc->auth_type]); + req->user = apr_pstrdup(req->pool, mc->user_name); + if (cfg->deleg_ccache_dir && mc->delegated) { + char *ccname; + ccname = mag_gss_name_to_ccache_name(req, + cfg->deleg_ccache_dir, + mc->gss_name); + if (ccname) { + mag_set_KRB5CCANME(req, ccname); + } + } +} + +static bool mag_auth_basic(request_rec *req, + struct mag_config *cfg, + gss_buffer_desc ba_user, + gss_buffer_desc ba_pwd, + gss_cred_id_t acquired_cred, + gss_cred_usage_t cred_usage, + gss_name_t *client, + gss_OID *mech_type, + gss_cred_id_t *delegated_cred, + uint32_t *vtime) +{ +#ifdef HAVE_GSS_KRB5_CCACHE_NAME + const char *user_ccache = NULL; + const char *orig_ccache = NULL; + long long unsigned int rndname; + apr_status_t rs; +#endif + gss_name_t user = GSS_C_NO_NAME; + gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL; + gss_ctx_id_t user_ctx = GSS_C_NO_CONTEXT; + gss_name_t server = GSS_C_NO_NAME; + gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; + gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT; + gss_buffer_desc input = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output = GSS_C_EMPTY_BUFFER; + uint32_t init_flags = 0; + uint32_t maj, min; + bool ret = false; + +#ifdef HAVE_GSS_KRB5_CCACHE_NAME + rs = apr_generate_random_bytes((unsigned char *)(&rndname), + sizeof(long long unsigned int)); + if (rs != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "Failed to generate random ccache name"); + goto done; + } + user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname); + maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "In Basic Auth, %s", + mag_error(req, "gss_krb5_ccache_name() " + "failed", maj, min)); + goto done; + } +#endif + + maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &user); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "In Basic Auth, %s", + mag_error(req, "gss_import_name() failed", + maj, min)); + goto done; + } + + maj = gss_acquire_cred_with_password(&min, user, &ba_pwd, + GSS_C_INDEFINITE, + cfg->allowed_mechs, + GSS_C_INITIATE, + &user_cred, NULL, NULL); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "In Basic Auth, %s", + mag_error(req, "gss_acquire_cred_with_password() " + "failed", maj, min)); + goto done; + } + + if (cred_usage == GSS_C_BOTH) { + /* If GSS_C_BOTH is used then inquire_cred will return the client + * name instead of the SPN of the server credentials. Therefore we + * need to acquire a different set of credential setting + * GSS_C_ACCEPT explicitly */ + if (!mag_acquire_creds(req, cfg, cfg->allowed_mechs, + GSS_C_ACCEPT, &server_cred, NULL)) { + goto done; + } + } else { + server_cred = acquired_cred; + } + maj = gss_inquire_cred(&min, server_cred, &server, + NULL, NULL, NULL); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "%s", mag_error(req, "gss_inquired_cred_() " + "failed", maj, min)); + goto done; + } + +#ifdef HAVE_CRED_STORE + if (cfg->deleg_ccache_dir) { + /* delegate ourselves credentials so we store them as requested */ + init_flags |= GSS_C_DELEG_FLAG; + } +#endif + + do { + /* output and input are inverted here, this is intentional */ + maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, + GSS_C_NO_OID, init_flags, 300, + GSS_C_NO_CHANNEL_BINDINGS, &output, + NULL, &input, NULL, NULL); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "%s", mag_error(req, "gss_init_sec_context() " + "failed", maj, min)); + goto done; + } + gss_release_buffer(&min, &output); + maj = gss_accept_sec_context(&min, &server_ctx, acquired_cred, + &input, GSS_C_NO_CHANNEL_BINDINGS, + client, mech_type, &output, NULL, + vtime, delegated_cred); + if (GSS_ERROR(maj)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "%s", mag_error(req, "gss_accept_sec_context()" + " failed", maj, min)); + goto done; + } + gss_release_buffer(&min, &input); + } while (maj == GSS_S_CONTINUE_NEEDED); + + ret = true; + +done: + gss_release_buffer(&min, &output); + gss_release_buffer(&min, &input); + gss_release_name(&min, &server); + if (server_cred != acquired_cred) { + gss_release_cred(&min, &server_cred); + } + gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER); + gss_release_name(&min, &user); + gss_release_cred(&min, &user_cred); + gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER); +#ifdef HAVE_GSS_KRB5_CCACHE_NAME + if (user_ccache != NULL) { + maj = gss_krb5_ccache_name(&min, orig_ccache, NULL); + if (maj != GSS_S_COMPLETE) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, + "Failed to restore per-thread ccache, %s", + mag_error(req, "gss_krb5_ccache_name() " + "failed", maj, min)); + } + } +#endif + return ret; +} + + static int mag_auth(request_rec *req) { const char *type; @@ -283,12 +504,9 @@ static int mag_auth(request_rec *req) gss_buffer_desc ba_user; gss_buffer_desc ba_pwd; gss_name_t client = GSS_C_NO_NAME; - gss_cred_id_t user_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL; - gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; gss_cred_usage_t cred_usage = GSS_C_ACCEPT; - uint32_t flags; uint32_t vtime; uint32_t maj, min; char *reply; @@ -296,15 +514,9 @@ static int mag_auth(request_rec *req) char *clientname; gss_OID mech_type = GSS_C_NO_OID; gss_OID_set desired_mechs = GSS_C_NO_OID_SET; + gss_OID_set indicated_mechs = GSS_C_NO_OID_SET; gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; struct mag_conn *mc = NULL; - gss_ctx_id_t user_ctx = GSS_C_NO_CONTEXT; - gss_name_t server = GSS_C_NO_NAME; -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - const char *user_ccache = NULL; - const char *orig_ccache = NULL; -#endif - uint32_t init_flags = 0; time_t expiration; int i; @@ -315,11 +527,17 @@ static int mag_auth(request_rec *req) cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); - if (!cfg->allowed_mechs) { + if (cfg->allowed_mechs) { + desired_mechs = cfg->allowed_mechs; + } else { /* Try to fetch the default set if not explicitly configured */ - (void)mag_acquire_creds(req, cfg, GSS_C_NO_OID_SET, GSS_C_ACCEPT, - &server_cred, &cfg->allowed_mechs); - (void)gss_release_cred(&min, &server_cred); + maj = gss_indicate_mechs(&min, &indicated_mechs); + if (maj != GSS_S_COMPLETE) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "%s", + mag_error(req, "gss_indicate_mechs() failed", + maj, min)); + } + desired_mechs = indicated_mechs; } /* implicit auth for subrequests if main auth already happened */ @@ -376,22 +594,15 @@ static int mag_auth(request_rec *req) mag_check_session(req, cfg, &mc); } - if (mc) { - /* register the context in the memory pool, so it can be freed - * when the connection/request is terminated */ - apr_pool_userdata_set(mc, "mag_conn_ptr", - mag_conn_destroy, mc->parent); + auth_header = apr_table_get(req->headers_in, "Authorization"); - if (mc->established) { + if (mc) { + if (mc->established && + (auth_header == NULL) && + (mc->auth_type != AUTH_TYPE_BASIC)) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, "Already established context found!"); - apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name); - apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION", - apr_psprintf(req->pool, - "%ld", (long)mc->expiration)); - req->ap_auth_type = apr_pstrdup(req->pool, - auth_types[mc->auth_type]); - req->user = apr_pstrdup(req->pool, mc->user_name); + mag_set_req_data(req, cfg, mc); ret = OK; goto done; } @@ -400,7 +611,7 @@ static int mag_auth(request_rec *req) pctx = &ctx; } - auth_header = apr_table_get(req->headers_in, "Authorization"); + /* We can proceed only if we do have an auth header */ if (!auth_header) goto done; auth_header_type = ap_getword_white(req->pool, &auth_header); @@ -437,49 +648,16 @@ static int mag_auth(request_rec *req) } ba_user.length = strlen(ba_user.value); ba_pwd.length = strlen(ba_pwd.value); - maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "In Basic Auth, %s", - mag_error(req, "gss_import_name() failed", - maj, min)); - goto done; - } -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - /* Set a per-thread ccache in case we are using kerberos, - * it is not elegant but avoids interference between threads */ - long long unsigned int rndname; - apr_status_t rs; - rs = apr_generate_random_bytes((unsigned char *)(&rndname), - sizeof(long long unsigned int)); - if (rs != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "Failed to generate random ccache name"); - goto done; - } - user_ccache = apr_psprintf(req->pool, "MEMORY:user_%qu", rndname); - maj = gss_krb5_ccache_name(&min, user_ccache, &orig_ccache); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "In Basic Auth, %s", - mag_error(req, "gss_krb5_ccache_name() " - "failed", maj, min)); - goto done; - } -#endif - maj = gss_acquire_cred_with_password(&min, client, &ba_pwd, - GSS_C_INDEFINITE, - cfg->allowed_mechs, - GSS_C_INITIATE, - &user_cred, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "In Basic Auth, %s", - mag_error(req, "gss_acquire_cred_with_password() " - "failed", maj, min)); + + if (mc && mc->established && + mag_basic_check(cfg, mc, ba_user, ba_pwd)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, + "Already established BASIC AUTH context found!"); + mag_set_req_data(req, cfg, mc); + ret = OK; goto done; } - gss_release_name(&min, &client); + break; case AUTH_TYPE_RAW_NTLM: @@ -500,6 +678,13 @@ static int mag_auth(request_rec *req) goto done; } + if (mc && mc->established) { + /* if we are re-authenticating make sure the conn context + * is cleaned up so we do not accidentally reuse an existing + * established context */ + mag_conn_clear(mc); + } + req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]); #ifdef HAVE_CRED_STORE @@ -513,48 +698,13 @@ static int mag_auth(request_rec *req) } if (auth_type == AUTH_TYPE_BASIC) { - if (cred_usage == GSS_C_BOTH) { - /* If GSS_C_BOTH is used then inquire_cred will return the client - * name instead of the SPN of the server credentials. Therefore we - * need to acquire a different set of credential setting - * GSS_C_ACCEPT explicitly */ - if (!mag_acquire_creds(req, cfg, cfg->allowed_mechs, - GSS_C_ACCEPT, &server_cred, NULL)) { - goto done; - } - } else { - server_cred = acquired_cred; - } - maj = gss_inquire_cred(&min, server_cred, &server, - NULL, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "%s", mag_error(req, "gss_inquired_cred_() " - "failed", maj, min)); - goto done; - } - if (server_cred != acquired_cred) { - gss_release_cred(&min, &server_cred); - } - -#ifdef HAVE_CRED_STORE - if (cfg->deleg_ccache_dir) { - /* delegate ourselves credentials so we store them as requested */ - init_flags |= GSS_C_DELEG_FLAG; - } -#endif - - /* output and input are inverted here, this is intentional */ - maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, init_flags, 300, - GSS_C_NO_CHANNEL_BINDINGS, &output, - NULL, &input, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "%s", mag_error(req, "gss_init_sec_context() " - "failed", maj, min)); - goto done; + if (mag_auth_basic(req, cfg, ba_user, ba_pwd, + acquired_cred, cred_usage, + &client, &mech_type, + &delegated_cred, &vtime)) { + goto complete; } + goto done; } if (auth_type == AUTH_TYPE_NEGOTIATE && @@ -570,47 +720,19 @@ static int mag_auth(request_rec *req) maj = gss_accept_sec_context(&min, pctx, acquired_cred, &input, GSS_C_NO_CHANNEL_BINDINGS, - &client, &mech_type, &output, &flags, &vtime, + &client, &mech_type, &output, NULL, &vtime, &delegated_cred); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "%s", mag_error(req, "gss_accept_sec_context() failed", maj, min)); goto done; - } - if (auth_type == AUTH_TYPE_BASIC) { - while (maj == GSS_S_CONTINUE_NEEDED) { - gss_release_buffer(&min, &input); - /* output and input are inverted here, this is intentional */ - maj = gss_init_sec_context(&min, user_cred, &user_ctx, server, - GSS_C_NO_OID, init_flags, 300, - GSS_C_NO_CHANNEL_BINDINGS, &output, - NULL, &input, NULL, NULL); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "%s", mag_error(req, "gss_init_sec_context() " - "failed", maj, min)); - goto done; - } - gss_release_buffer(&min, &output); - maj = gss_accept_sec_context(&min, pctx, acquired_cred, - &input, GSS_C_NO_CHANNEL_BINDINGS, - &client, &mech_type, &output, &flags, - &vtime, &delegated_cred); - if (GSS_ERROR(maj)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "%s", mag_error(req, "gss_accept_sec_context()" - " failed", maj, min)); - goto done; - } - } } else if (maj == GSS_S_CONTINUE_NEEDED) { if (!mc) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, "Mechanism needs continuation but neither " "GssapiConnectionBound nor " "GssapiUseSessions are available"); - gss_delete_sec_context(&min, pctx, GSS_C_NO_BUFFER); gss_release_buffer(&min, &output); output.length = 0; } @@ -618,6 +740,7 @@ static int mag_auth(request_rec *req) goto done; } +complete: /* Always set the GSS name in an env var */ maj = gss_display_name(&min, client, &name, NULL); if (GSS_ERROR(maj)) { @@ -640,7 +763,11 @@ static int mag_auth(request_rec *req) delegated_cred, &ccachefile); if (ccachefile) { - apr_table_set(req->subprocess_env, "KRB5CCNAME", ccachefile); + mag_set_KRB5CCANME(req, ccachefile); + } + + if (mc) { + mc->delegated = true; } } #endif @@ -658,17 +785,20 @@ static int mag_auth(request_rec *req) } if (mc) { - mc->user_name = apr_pstrdup(mc->parent, req->user); - mc->gss_name = apr_pstrdup(mc->parent, clientname); + mc->user_name = apr_pstrdup(mc->pool, req->user); + mc->gss_name = apr_pstrdup(mc->pool, clientname); mc->established = true; if (vtime == GSS_C_INDEFINITE || vtime < MIN_SESS_EXP_TIME) { vtime = MIN_SESS_EXP_TIME; } mc->expiration = expiration; + mc->auth_type = auth_type; + if (auth_type == AUTH_TYPE_BASIC) { + mag_basic_cache(cfg, mc, ba_user, ba_pwd); + } if (cfg->use_sessions) { mag_attempt_session(req, cfg, mc); } - mc->auth_type = auth_type; } if (cfg->send_persist) @@ -701,24 +831,13 @@ done: ap_auth_name(req))); } } -#ifdef HAVE_GSS_KRB5_CCACHE_NAME - if (user_ccache != NULL) { - maj = gss_krb5_ccache_name(&min, orig_ccache, NULL); - if (maj != GSS_S_COMPLETE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, - "Failed to restore per-thread ccache, %s", - mag_error(req, "gss_krb5_ccache_name() " - "failed", maj, min)); - } - } -#endif - gss_delete_sec_context(&min, &user_ctx, &output); - gss_release_cred(&min, &user_cred); + gss_release_oid_set(&min, &indicated_mechs); + if (ctx != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER); gss_release_cred(&min, &acquired_cred); gss_release_cred(&min, &delegated_cred); gss_release_buffer(&min, &output); gss_release_name(&min, &client); - gss_release_name(&min, &server); gss_release_buffer(&min, &name); gss_release_buffer(&min, &lname); return ret; @@ -901,6 +1020,9 @@ static const char *mag_allow_mech(cmd_parms *parms, void *mconfig, sizeof(gss_OID_set_desc)); size = sizeof(gss_OID) * MAX_ALLOWED_MECHS; cfg->allowed_mechs->elements = apr_palloc(parms->pool, size); + + cfg->allowed_mechs->elements[0] = gss_mech_spnego; + cfg->allowed_mechs->count++; } if (strcmp(w, "krb5") == 0) {