Confusing error description when server trust anchor changes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Moonshot ID Selector |
Confirmed
|
Low
|
Dan Breslau |
Bug Description
When the IdP's trust anchor changes (server cert, etc.), then the Moonshot ID Selector will rightly refuse to let a headless session continue. However, the error returned isn't very informative of the problem:
-------
GSS-API error str_to_oid: Unspecified GSS failure. Minor code may provide more information
GSS-API error str_to_oid: Unknown error
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: No Kerberos credentials available
-------
(Using -spnego on gss-client is even less informative, but that's not a bug for this project.)
It would be great to have an error message that says something more like:
-------
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: The certificate we received for the authentication server for <realm> is different than expected
-------
description: | updated |
Changed in moonshot-ui: | |
status: | New → Confirmed |
Changed in moonshot-ui: | |
assignee: | nobody → Dan Breslau (dbreslau) |
try gss-client -mech '{ 1.3.6... }'
I believe that the error is correct and that you're passing in syntax to
gss_str_to_oid that it doesn't like.