Moonshot ID Selector

Bug #1636892
Comment #0

Comment 0 for bug 1636892

Revision history for this message

Mark Donnelly (meadmaker) wrote on 2016-10-26:

When the IdP's trust anchor changes (server cert, etc.), then the Moonshot ID Selector will rightly refuse to let a headless session continue. However, the error returned isn't very informative of the problem:

-----------------------------------------------------------------------------------------------
# gss-client -mech 1.3.6.1.5.5.15.1.1.17 localhost gss@localhost "hi"
GSS-API error str_to_oid: Unspecified GSS failure. Minor code may provide more information
GSS-API error str_to_oid: Unknown error
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: No Kerberos credentials available
-----------------------------------------------------------------------------------------------

(Using -spnego on gss-client is even less informative, but that's not a bug for this project.)

It would be great to have an error message that says something more like:
-----------------------------------------------------------------------------------------------
# gss-client -mech 1.3.6.1.5.5.15.1.1.17 localhost gss@localhost "hi"
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: The certificate we received for the authentication server for <realm> is different than expected
-----------------------------------------------------------------------------------------------