Credentials via gss_acquire_cred and GSS_C_BOTH

Mon Nov 24 18:19:58 EST 2003

Hi Folks,

I have a server/client combination using the GSSAPI that comes with the MIT
distribution. It happily works when the server just accepts and the client just
initiates.

I need to be able to both accept and initiate from the server so changed my code
to use GSS_C_BOTH. The result is the following errors.

   kilmer: ~/bin>testgss --server
   GSSAPI error: acquiring credentials: Miscellaneous failure
   GSSAPI error: acquiring credentials: Permission denied

It is very important to be able to initiate connections from a service as our environment
has many situations where where unattended service to service communications are
required.

If anyone could help I would be most grateful. I have downloaded the list archive but can
find no mention of this issue

The code used is below and works fine with GSS_C_ACCEPT.

cheers
Nick

   bool
   gss::server::Imp::acquire()
   {
           OM_uint32  major;
           OM_uint32  minor;

           gss_name_t target = GSS_C_NO_NAME;

           if (service[0] != 0)
           {
                   gss_buffer_desc namebuf;

                   namebuf.value  = const_cast<char*>(service);
                   namebuf.length = strlen(service) + 1;

                   major = gss_import_name(&minor,
                                           &namebuf,
                                           (gss_OID) gss_nt_service_name,
                                           &target);

                   if (major != GSS_S_COMPLETE)
                   {
                           log_status("importing service name",
                                                   major, minor);
                           return false;
                   }
           }
           // release and zero existing credentials
           if (credentials != GSS_C_NO_CREDENTIAL)
           {
                   gss_release_cred(&minor, &credentials);
                   credentials = GSS_C_NO_CREDENTIAL;
           }
           // warn if there's no keytab variable
           if (! getenv("KRB5_KTNAME") && logfn)
                   logfn("GSSAPI warning: $KRB5_KTNAME not defined");

           major = gss_acquire_cred(&minor,
                                       target,
                                       0,
                                       GSS_C_NULL_OID_SET,
                                       GSS_C_BOTH,
                                       &credentials,
                                       NULL,
                                       NULL);

           if (major != GSS_S_COMPLETE)
                   log_status("acquiring credentials", major, minor);

           if (target != GSS_C_NO_NAME)
                   gss_release_name(&minor, &target);

           return (major == GSS_S_COMPLETE);
   }

   CBTO-GRT IT Sydney
   +61-2-9258-1394

--

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.