Credentials via gss_acquire_cred and GSS_C_BOTH
Nick Thurn
nick.thurn at db.com
Mon Nov 24 19:46:28 EST 2003
Sorry Folks,
Solved my own problem. It appears that an entry is required in the
credentials cache if either BOTH or INITIATE is to work correctly.
This is not supported by GSSAPI so must be done via k5 api's
or externally via kinit -k -t $FILE $PRINCIPAL
cheers
Nick
CBTO-GRT IT Sydney
+61-2-9258-1394
Nick Thurn
To:
25/11/03 10:19 cc:
Subject: Credentials via gss_acquire_cred and GSS_C_BOTH
Hi Folks,
I have a server/client combination using the GSSAPI that comes with the MIT
distribution. It happily works when the server just accepts and the client just
initiates.
I need to be able to both accept and initiate from the server so changed my code
to use GSS_C_BOTH. The result is the following errors.
kilmer: ~/bin>testgss --server
GSSAPI error: acquiring credentials: Miscellaneous failure
GSSAPI error: acquiring credentials: Permission denied
It is very important to be able to initiate connections from a service as our environment
has many situations where where unattended service to service communications are
required.
If anyone could help I would be most grateful. I have downloaded the list archive but can
find no mention of this issue
The code used is below and works fine with GSS_C_ACCEPT.
cheers
Nick
bool
gss::server::Imp::acquire()
{
OM_uint32 major;
OM_uint32 minor;
gss_name_t target = GSS_C_NO_NAME;
if (service[0] != 0)
{
gss_buffer_desc namebuf;
namebuf.value = const_cast<char*>(service);
namebuf.length = strlen(service) + 1;
major = gss_import_name(&minor,
&namebuf,
(gss_OID) gss_nt_service_name,
&target);
if (major != GSS_S_COMPLETE)
{
log_status("importing service name",
major, minor);
return false;
}
}
// release and zero existing credentials
if (credentials != GSS_C_NO_CREDENTIAL)
{
gss_release_cred(&minor, &credentials);
credentials = GSS_C_NO_CREDENTIAL;
}
// warn if there's no keytab variable
if (! getenv("KRB5_KTNAME") && logfn)
logfn("GSSAPI warning: $KRB5_KTNAME not defined");
major = gss_acquire_cred(&minor,
target,
0,
GSS_C_NULL_OID_SET,
GSS_C_BOTH,
&credentials,
NULL,
NULL);
if (major != GSS_S_COMPLETE)
log_status("acquiring credentials", major, minor);
if (target != GSS_C_NO_NAME)
gss_release_name(&minor, &target);
return (major == GSS_S_COMPLETE);
}
CBTO-GRT IT Sydney
+61-2-9258-1394
--
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
More information about the Kerberos
mailing list