GSS context negotiation oddity
Larry Tremblay
lrt512 at rogers.com
Sat May 17 19:08:02 EDT 2003
I have client and server applications that are trying to negotiate a
GSSAPI context using Kerberos as the GSS provider. My setup:
- Server running on Redhat Linux 9, using Kerberos 1.2.8 as the KDC
- Client running under Windows 2000, using Kerberos for Windows 2.1.2
libraries
Now then...
The server starts up and acquires server credentials via
gss_acquire_cred, using GSS_C_ACCEPT and a name that has been imported
using gss_nt_service_name.
The client starts up and calls gss_init_sec_context, and is given a
token and GSS_S_CONTINUE_NEEDED as the major status; the client passes
the token to the server.
The server receives the token and uses it to call
gss_accept_sec_context, and is given a token and GSS_S_COMPLETE as the
major status; the server passes the token to the client.
The client receives the token and uses it to call gss_init_sec_context
again, and is given a null token and GSS_S_COMPLETE as the major status.
(If I pass that null token to the server and try to pass it to
gss_accept_sec_context, I get a GSS_S_FAILURE as them major status, with
a minor status indicating a defective token - as one would expect since
the initial call to gss_accept_sec_context returned GSS_S_COMPLETE.)
At this point, if the client uses the context handle returned from
gss_init_sec_context, I am returned GSS_S_NO_CONTEXT from gss_get_mic.
Likewise, the context handle that the server got on its call to
gss_accept_sec_context yields only GSS_S_NO_CONTEXT from gss_get_mic.
Any ideas as to why:
1) The server is getting GSS_S_COMPLETE on its first call to
gss_accept_context?
2) Why the second call of gss_init_sec_context is not giving a token to
return to the server - even if it isn't expecting one?
It's almost like the client is wanting a double exchange negotiation,
but the server is only doing a single exchange negotiation. I hope this
is something really simple that I'm missing.
Thanks,
Larry
More information about the Kerberos
mailing list