@@ -11,6 +11,9 @@ import (

 // Negotiater defines the minimal interface needed to interact with GSSAPI to perform a negotiate challenge/response

 type Negotiater interface {

+	// Load gives the negotiator a chance to load any resources needed to handle a challenge/response sequence.

+	// It may be invoked multiple times. If an error is returned, InitSecContext and IsComplete are not called, but Release() is.

+	Load() error

 	// InitSecContext returns the response token for a Negotiate challenge token from a given URL,

 	// or an error if no response token could be obtained or the incoming token is invalid.

 	InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error)

@@ -34,8 +37,14 @@ func NewNegotiateChallengeHandler(negotiater Negotiater) ChallengeHandler {

 func (c *NegotiateChallengeHandler) CanHandle(headers http.Header) bool {

 	// Make sure this is a negotiate request

-	isNegotiate, _, err := getNegotiateToken(headers)

-	return err == nil && isNegotiate

+	if isNegotiate, _, err := getNegotiateToken(headers); err != nil || !isNegotiate {

+		return false

+	}

+	// Make sure our negotiator can initialize

+	if err := c.negotiater.Load(); err != nil {

+		return false

+	}

+	return true

 }

 func (c *NegotiateChallengeHandler) HandleChallenge(requestURL string, headers http.Header) (http.Header, bool, error) {

@@ -49,6 +49,11 @@ func NewGSSAPINegotiator(principalName string) Negotiater {

 	return &gssapiNegotiator{principalName: principalName}

 }

+func (g *gssapiNegotiator) Load() error {

+	_, err := g.loadLib()

+	return err

+}

+

 func (g *gssapiNegotiator) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {

 	lib, err := g.loadLib()

 	if err != nil {

@@ -14,6 +14,9 @@ func NewGSSAPINegotiator(principalName string) Negotiater {

 	return &gssapiUnsupported{}

 }

+func (g *gssapiUnsupported) Load() error {

+	return errors.New("GSSAPI support is not enabled")

+}

 func (g *gssapiUnsupported) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {

 	return nil, errors.New("GSSAPI support is not enabled")

 }

@@ -11,10 +11,31 @@ import (

 	"k8s.io/kubernetes/pkg/client/restclient"

 )

+type unloadableNegotiator struct {

+	releaseCalls int

+}

+

+func (n *unloadableNegotiator) Load() error {

+	return errors.New("Load failed")

+}

+func (n *unloadableNegotiator) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {

+	return nil, errors.New("InitSecContext failed")

+}

+func (n *unloadableNegotiator) IsComplete() bool {

+	return false

+}

+func (n *unloadableNegotiator) Release() error {

+	n.releaseCalls++

+	return errors.New("Release failed")

+}

+

 type failingNegotiator struct {

 	releaseCalls int

 }

+func (n *failingNegotiator) Load() error {

+	return nil

+}

 func (n *failingNegotiator) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {

 	return nil, errors.New("InitSecContext failed")

 }

@@ -29,9 +50,14 @@ func (n *failingNegotiator) Release() error {

 type successfulNegotiator struct {

 	rounds              int

 	initSecContextCalls int

+	loadCalls           int

 	releaseCalls        int

 }

+func (n *successfulNegotiator) Load() error {

+	n.loadCalls++

+	return nil

+}

 func (n *successfulNegotiator) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {

 	n.initSecContextCalls++

@@ -94,6 +120,10 @@ func TestRequestToken(t *testing.T) {

 				if negotiator.releaseCalls != 1 {

 					t.Errorf("%s: expected one call to Release(), saw %d", test, negotiator.releaseCalls)

 				}

+			case *unloadableNegotiator:

+				if negotiator.releaseCalls != 1 {

+					t.Errorf("%s: expected one call to Release(), saw %d", test, negotiator.releaseCalls)

+				}

 			default:

 				t.Errorf("%s: unrecognized negotiator: %#v", test, handler)

 			}

@@ -255,6 +285,29 @@ func TestRequestToken(t *testing.T) {

 			ExpectedError: "client requires final negotiate token, none provided",

 		},

+		// Unloadable negotiate handler

+		"unloadable negotiate handler, no challenge, success": {

+			Handler: &NegotiateChallengeHandler{negotiater: &unloadableNegotiator{}},

+			Requests: []requestResponse{

+				{initialRequest, success},

+			},

+			ExpectedToken: successfulToken,

+		},

+		"unloadable negotiate handler, negotiate challenge, failure": {

+			Handler: &NegotiateChallengeHandler{negotiater: &unloadableNegotiator{}},

+			Requests: []requestResponse{

+				{initialRequest, negotiateChallenge1},

+			},

+			ExpectedError: "unhandled challenge",

+		},

+		"unloadable negotiate handler, basic challenge, failure": {

+			Handler: &NegotiateChallengeHandler{negotiater: &unloadableNegotiator{}},

+			Requests: []requestResponse{

+				{initialRequest, basicChallenge1},

+			},

+			ExpectedError: "unhandled challenge",

+		},

+

 		// Failing negotiate handler

 		"failing negotiate handler, no challenge, success": {

 			Handler: &NegotiateChallengeHandler{negotiater: &failingNegotiator{}},