Credentials via gss_acquire_cred and GSS_C_BOTH

Nick Thurn nick.thurn at db.com
Mon Nov 24 19:46:28 EST 2003


Sorry Folks,

Solved my own problem. It appears that an entry is required in the
credentials cache if either BOTH or INITIATE is to work correctly.

This is not supported by GSSAPI so must be done via k5 api's
or externally via kinit -k -t $FILE $PRINCIPAL

cheers
Nick

CBTO-GRT IT Sydney
+61-2-9258-1394




                                                                                                                                                       
                      Nick Thurn                                                                                                                       
                                               To:                                                                                                     
                      25/11/03 10:19           cc:                                                                                                     
                                               Subject:  Credentials via gss_acquire_cred and GSS_C_BOTH                                               
                                                                                                                                                       



Hi Folks,

I have a server/client combination using the GSSAPI that comes with the MIT
distribution. It happily works when the server just accepts and the client just
initiates.

I need to be able to both accept and initiate from the server so changed my code
to use GSS_C_BOTH. The result is the following errors.

   kilmer: ~/bin>testgss --server
   GSSAPI error: acquiring credentials: Miscellaneous failure
   GSSAPI error: acquiring credentials: Permission denied

It is very important to be able to initiate connections from a service as our environment
has many situations where where unattended service to service communications are
required.

If anyone could help I would be most grateful. I have downloaded the list archive but can
find no mention of this issue

The code used is below and works fine with GSS_C_ACCEPT.

cheers
Nick


   bool
   gss::server::Imp::acquire()
   {
           OM_uint32  major;
           OM_uint32  minor;

           gss_name_t target = GSS_C_NO_NAME;

           if (service[0] != 0)
           {
                   gss_buffer_desc namebuf;

                   namebuf.value  = const_cast<char*>(service);
                   namebuf.length = strlen(service) + 1;

                   major = gss_import_name(&minor,
                                           &namebuf,
                                           (gss_OID) gss_nt_service_name,
                                           &target);

                   if (major != GSS_S_COMPLETE)
                   {
                           log_status("importing service name",
                                                   major, minor);
                           return false;
                   }
           }
           // release and zero existing credentials
           if (credentials != GSS_C_NO_CREDENTIAL)
           {
                   gss_release_cred(&minor, &credentials);
                   credentials = GSS_C_NO_CREDENTIAL;
           }
           // warn if there's no keytab variable
           if (! getenv("KRB5_KTNAME") && logfn)
                   logfn("GSSAPI warning: $KRB5_KTNAME not defined");

           major = gss_acquire_cred(&minor,
                                       target,
                                       0,
                                       GSS_C_NULL_OID_SET,
                                       GSS_C_BOTH,
                                       &credentials,
                                       NULL,
                                       NULL);

           if (major != GSS_S_COMPLETE)
                   log_status("acquiring credentials", major, minor);

           if (target != GSS_C_NO_NAME)
                   gss_release_name(&minor, &target);

           return (major == GSS_S_COMPLETE);
   }

   CBTO-GRT IT Sydney
   +61-2-9258-1394






--

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.




More information about the Kerberos mailing list