gss-api

[Rick]

A little trouble understanding kerberos GSS-API.

My KDC is Windows 2k
host1 is solaris 7
host2 is NT 4 with leash32 2.1.1.1

On my 2k KDC I defined the following principals.
ktpass -princ user1/host1.domain.com at DOMAIN.COM -mapuser user1     -pass
password -out 1.keytab
ktpass -princ user2/host2.domain.com at DOMAIN.COM -mapuser user2     -pass
password -out 2.keytab
ktpass -princ rcmd/host1.domain.com at DOMAIN.COM  -mapuser junkuser1 -pass
password -out 11.keytab
ktpass -princ rcmd/host2.domain.com at DOMAIN.COM  -mapuser junkuser2 -pass
password -out 12.keytab

on host1 I run:
#kinit user1
#gss-server rcmd

If I call (gss-client host1 rcmd "test") from the same computer (host1) it
works great.

On host2 I kinit as user2 and call gss-client, it fails with

the imported name is rcmd/host2.domain.com at DOMAIN.COM
Sending init_sec_context token (size=1240)...continue needed...
GSS-API error initializing context: Miscellaneous failure
GSS-API error initializing context: Generic error (see e-text)

gss-server prints:
Wrong principal in request

On host2
#kinit user2
#gss-server rcmd

If I call (gss-client host2 rcmd "test") from the same computer (host2) it
works great but if
I try it from host1 it doesn't work.  The results are the same as above.

Basically it will only work if I run both gss-client and gss-server on the
same computer.

What am I doing wrong?

Why does it automatically append the hostname and realm when importing the
name?

Do I need to kinit as junkuser1 or junkuser2?

What's the relationship between -princ and -mapuser?  Is it just because I
can't create a multi
part principal name in windows?  Can I just create dummy users for the
princs?

Am I correct in assuming that:
1. the gss-server is basically acting as an application server?
2. the gss-client gets the ticket for the service specified on the command
line?

Many thanks in advance