windows 2000 and 2003 compatibility issue on MIT Kerberos
peter_yen@trendmicro.com
peter_yen at trendmicro.com
Mon Aug 16 18:49:21 EDT 2004
-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at mit.edu]
Sent: Monday, August 16, 2004 3:44 PM
To: Peter Yen (RD-US)
Subject: Re: export private interface "krb5_set_default_tgs_ktypes" defined in krb5.h
Send this report to kerberos at mit.edu
Windows 2003 is doing the right thing. Your client and server must support RC4-HMAC or
you need to mark the server principal to be DES only.
peter_yen at trendmicro.com wrote:
Hi Jeff,
Sorry for my late response. Here I provide two configurations for windows 2000 and windows 2003 respectively. The windows 2000 case works fine but 2003 failed with
"Server not found in Kerberos Database". And I also noticed that the TGT ticket returned from windows 2003 server using "DES cbc mode with CRC-
32, ArcFour with HMAC/md5" which is not specified on client's configuration enctypes list. My packet trace of Windows 2003 gives me the following stream trace.
Am I missing something here? seems like I have to add a keytab both on server and clietn sides? I'd appreciate your great help a lot. Thanks for taking your time.
Peter
+++++++++++++++++++++++++++++
Packet Trace for Windows 2003 Failure
+++++++++++++++++++++++++++++
Client: a LDAP client wanting to use Kerberos to authentication itself to windows 2003 AD
Server:a Active Directory(LDAP) server with Kerberos daemon running
C -----> S :KRB5 AS-REQ
S -----> C :KRB5 KDC_ERR_PREAUTH_REQUIRED
C -----> S :KRB5 AS-REQ
S ------> C :KRB5 REP
C ------> S :KRB5 TGS-REQ
S ------->C : KRB5 KDC_ERR_PRINCIPAL_UNKNOWN [ERROR]
+++++++++++++++++++++++++
Windows 2000 Klist
+++++++++++++++++++++++++
Ticket cache: API:krb5cc
Default principal: ADMINISTRATOR at IWSSAD.TRENDMICRO.COM
Valid starting Expires Service principal
08/16/04 15:15:53 08/17/04 01:16:29 krbtgt/IWSSAD.TRENDMICRO.COM at IWSSAD.TRENDM
ICRO.COM
renew until 08/17/04 15:15:53, Etype (skey, tkt): DES cbc mode with CRC-
32, DES cbc mode with CRC-32
08/16/04 15:16:29 08/17/04 01:16:29 ldap/US-IWSS-PROXY.IWSSAD.TRENDMICRO.COM at I
WSSAD.TRENDMICRO.COM
renew until 08/17/04 15:15:53, Etype (skey, tkt): DES cbc mode with CRC-
32, DES cbc mode with CRC-32
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)1
-----------------------------------------------------
krb5.conf
-----------------------------------------------------
[libdefaults]
ticket_lifetime = 900
default_realm = IWSSAD.TRENDMICRO.COM
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
default_etypes = DES-CBC-CRC
default_etypes_des = DES-CBC-CRC
clockskew = 300
[realms]
IWSSAD.TRENDMICRO.COM = {
kdc = US-IWSS-PROXY.IWSSAD.TRENDMICRO.COM:88
admin_server = US-IWSS-PROXY.IWSSAD.TRENDMICRO.COM
default_domain = trendmicro.com
}
[domain_realm]
..trendmicro.com = IWSSAD.TRENDMICRO.COM
trendmicro.com = IWSSAD.TRENDMICRO.COM
+++++++++++++++++++++++++++
Windows 2003 Klist
+++++++++++++++++++++++++++
Ticket cache: API:krb5cc
Default principal: ADMINISTRATOR at INCOMING.COM
Valid starting Expires Service principal
08/16/04 15:09:55 08/17/04 01:09:29 krbtgt/INCOMING.COM at INCOMING.COM
renew until 08/17/04 15:09:55, Etype (skey, tkt): DES cbc mode with CRC-
32, ArcFour with HMAC/md5
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
Errors:
service_name: <mailto:ldap/US-ANDSON-W2K3.QALAB.US.TRENDNET.ORG at INCOMING.CO> ldap/US-ANDSON-W2K3.QALAB.US.TRENDNET.ORG at INCOMING.CO
GSS-API error initializing context: Server not found in Kerberos database
--------------------------------------------------------
krb5.conf
--------------------------------------------------------
[libdefaults]
ticket_lifetime = 900
default_realm = INCOMING.COM
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
clockskew = 1000
[realms]
INCOMING.COM = {
kdc = us-andson-w2k3.qalab.us.trendnet.org:88
admin_server = us-andson-w2k3.qalab.us.trendnet.org
default_domain = incoming.com
}
[domain_realm]
..incoming.com = INCOMING.COM
incoming.com = INCOMING.COM
-----Original Message-----
From: Jeffrey Altman [ mailto:jaltman at mit.edu]
Sent: Monday, August 16, 2004 12:31 PM
To: Peter Yen (RD-US)
Cc: Ken Raeburn
Subject: Re: export private interface "krb5_set_default_tgs_ktypes" defined in krb5.h
What does klist report for the enctypes associated with the tickets?
Why is there any reason for you to be restricting the enctypes on the client?
Who controls the service? If it is you, what keys do you have in the keytab
file?
peter_yen at trendmicro.com wrote:
Hi Jeff,
Thanks for your insights. I am adopting the Samba ads_sasl_gssapi_bind() implementation to do GSSAPI auth to a windows 2003 Active Directory. ( http://samba.org/doxygen/appliance-head/sasl_8c.html#a6)
I have included the supported enctypes, both des-cbc-crc and des-cbc-md5 in the krb5.conf file. My packet trace shows that the code proceeds to line 00375 rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, &scred) and return error of "invalid credential". I suspect that erros comes from inconsisteny of enctypes while obtaing tickets from KDC. Am I missing something here? I'd highly appreciate your help a lot. Thanks .
Peter
-----Original Message-----
From: Jeffrey Altman [ mailto:jaltman at mit.edu]
Sent: Monday, August 16, 2004 10:59 AM
To: Ken Raeburn
Cc: Peter Yen (RD-US)
Subject: Re: export private interface "krb5_set_default_tgs_ktypes"
defined in krb5.h
The issue with Windows 2000 vs Windows 2003 is this:
Windows 2000 has a security weakness in it because it will always
provide a response using the first enctype in the list of supported
enctypes provided by the client instead of the strongest enctype
supported by the client. The client should be prepared to accept
tickets in all enctypes the client says it will support.
This usually shows itself when the service principal is set for
DES only. In this case, Windows 2000 will respond with a
DES-CBC-CRC ticket enctype; whereas Windows 2003 will respond
with a DES-CBC-MD5 ticket enctype.
What is it that you are doing that results in your client not being
able to handle the tickets obtained from the KDC?
Ken Raeburn wrote:
(Oops. On the previous message I cc'ed the account Jeff uses for
posting to newsgroups, which was the one he replied to you from before.
According to his auto-responder, though, he doesn't actually read mail
there, so his Columbia address is preferred.)
On Aug 16, 2004, at 13:46, Ken Raeburn wrote:
On Aug 16, 2004, at 13:00, <mailto:peter_yen at trendmicro.com> <peter_yen at trendmicro.com> wrote:
Hi Ken,
Thanks for your kind response. Acutally, I am having some
compatibility issues using Kerberos/GSSAPI authentication with
Windows 2003 Active Directory. I adopted the way how Samba
authenticates itself using GSSAPI mechanism but it works well on
Windows 2000 but not Windows 2003 Active Directory. I traced my
packets and found that the encryption scheme used at Active Directory
is different as the one requested by client which cause the
server/client unable to recognize/decrypt the authenticating
credentails. I have been looking up on the internet for a while but
still cannot get it work. That's why I wanted to export the private
interface to see if I could manipulate the encryption schemes during
GSSAPI context exchanges. Is there a known issue for Windows 2003
compatibility. I'd appreciate your help a lot. Thanks you in advance.
Jeff Altman (who also replied on the Kerberos list) would be a lot
more familiar with the Windows compatibility issues than I am.
Does setting default_tgs_enctypes in the config file not do the job?
I note that in the current sources, krb5_set_default_tgs_ktypes just
calls krb5_set_default_tgs_enctypes, which appears to be exported.
I'm not sure offhand if that was the case in the KfW release, I don't
have a tree checked out.
Peter Yen
-----Original Message-----
From: Ken Raeburn [ mailto:raeburn at MIT.EDU]
Sent: Monday, August 16, 2004 9:48 AM
To: Peter Yen (RD-US)
Cc: <mailto:krbdev at mit.edu> <krbdev at mit.edu>; ' kerberos at mit.edu'
Subject: Re: export private interface "krb5_set_default_tgs_ktypes"
defined in krb5.h
On Aug 12, 2004, at 18:48, <mailto:peter_yen at trendmicro.com> <peter_yen at trendmicro.com> wrote:
I have tried to build up the MIT Krb-1.3.4 on Windows to export the
private interface "krb5_set_default_tgs_ktypes" declared in
First of all, why do you need it exported? As you note, it is marked
"private", and you shouldn't be surprised if such declarations or even
the functions disappear or have different signatures in some future
version.
added the compiled libraries into my VC6.0 project linker settings.
Unfortunately, it still gives me error such as "error LNK2001:
unresolved external symbol _krb5_set_default_tgs_ktypes". I am pretty
sure that I have included the libraries(comerr32.lib, gssapi32.lib,
krb532.lib, xpprof32.lib) in my linker settings but it still cannot
work. Is there anything I missed out? I'd appreciate your kind help a
lot. Thanks.
The library would need to be rebuilt after you update krb5_32.def,
which lists all the symbols to be exported. And your rebuilt library
would have to be used by anyone using your application, because it
wouldn't be compatible with the standard KfW DLLs.
Ken
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is
confidential and may be subject to copyright or other intellectual
property protection. If you are not the intended recipient, you are
not authorized to use or disclose this information, and we request
that you notify us by reply mail or telephone and delete the original
message from your mail system.
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system..From c.barbat at osram.de Tue Aug 17 03:13:30 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i7H7DTl1013394
for <kerberos at PCH.mit.edu>; Tue, 17 Aug 2004 03:13:30 -0400 (EDT)
Received: from exc-mchbh01.osram.de (mailout.osram.net [62.245.131.43])
i7H7DRcR017904
for <kerberos at mit.edu>; Tue, 17 Aug 2004 03:13:28 -0400 (EDT)
Received: from exc-mch01.mch.osram.de ([139.16.157.75]) by
exc-mchbh01.osram.de with Microsoft SMTPSVC(6.0.3790.0);
Tue, 17 Aug 2004 09:13:26 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Tue, 17 Aug 2004 09:13:26 +0200
Message-ID: <7A05A249A3DE11459B154221006BDE6F03384CD5 at exc-mch01.mch.osram.de>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: BC-SNC, MIT Kerberos V, SSO, GSS-API v2
Thread-Index: AcSDsmJwUUxTBvUuTq+l8q1503oWZwAdcGbA
From: "Barbat, Calin" <c.barbat at osram.de>
To: "Tim Alsop" <Tim.Alsop at CyberSafe.Ltd.UK>
X-OriginalArrivalTime: 17 Aug 2004 07:13:26.0403 (UTC)
FILETIME=[B090ED30:01C48429]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id
i7H7DTl1013394
X-Mailman-Approved-At: Wed, 18 Aug 2004 15:31:00 -0400
cc: kerberos at mit.edu
Subject: AW: BC-SNC, MIT Kerberos V, SSO, GSS-API v2
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 17 Aug 2004 07:13:30 -0000
Tim,
I'm not interested in a commercial product, I already know there are
several certified products around there; but e.g. the Duke University
uses MIT Kerberos to do the job - seen it yesterday on URL:
http://www.oit.duke.edu/techsupport/sap/sapgui/linux/
So I'd like to figure out how to properly configure Kerberos, as the
libgssapi_krb5.so seems to work out of the box for them.
Anyway, thank you for your marketing effort,
Calin Barbat.
-----Ursprüngliche Nachricht-----
Von: Tim Alsop [mailto:Tim.Alsop at CyberSafe.Ltd.UK]
Gesendet: Montag, 16. August 2004 18:59
An: Barbat, Calin
Cc: kerberos at mit.edu
Betreff: RE: BC-SNC, MIT Kerberos V, SSO, GSS-API v2
Calin,
We can solve this problem using our GSS library which works in a
consistent manner with SAP SNC on all platforms (including Linux). Our
product is "Certified for SAP NetWeaver"
So, if you are interested in a BC-SNC supported gss library for Linux
please refer to www.cybersafe.ltd.uk/links/sap.htm
Let me know if you have any further questions by emailing me off-list.
Thanks, Tim.
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Barbat, Calin
Sent: 13 August 2004 10:37
To: kerberos at mit.edu
Subject: BC-SNC, MIT Kerberos V, SSO, GSS-API v2
Hello everybody,
I need help with Single Sign-On for SAPguis running on Windows clients
to an SAP Application Server 4.6C running on a Linux SLES server with
authentification against an Active Directory provided by a Windows 2000
Server.
In the following I'll describe how far I got, so the specialists can
help with the remaining things to do.
I'm trying now to get the actual Kerberos implementation (release 1.3.1)
from MIT to work with our SAP Application Server 4.6C.
Could it be that I need an older release? If so, which one and where can
I get it?
As I understand, the libgssapi_krb5.so library has to be tested for
interoperability with a tool named gsstest, which is provided for free
by SAP.
I compiled, installed and configured Kerberos on the Linux AS and got a
logon ticket from the Win2k KDC by logging in on the Linux prompt using:
kinit C.Barbat
This ticket is shown by:
klist
Then I issued:
gsstest-1.27/gsstest -l /usr/local/lib/libgssapi_krb5.so -d 4 -p
kerberos_test.log
This should test the library libgssapi_krb5.so with the most verbose
output to kerberos_test.log.
This file reads as follows:
************************************************************************
**
***
***
*** "gsstest" -- GSS-API v2 Shared Library API Test Program
***
***
***
*** Version 1.27 11-Apr-2003
***
***
***
*** This implementation is Copyright (c), 1998 SAP AG Walldorf
***
***
***
************************************************************************
**
*** This tool may be freely used to test functionality and
***
*** robustness of GSS-API v2 mechanism implemenations
***
************************************************************************
**
*** THIS SOFTWARE IS PROVIDED BY SAP AG ``AS IS'' AND ANY EXPRESSED
***
*** OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
***
*** IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
***
*** PURPOSE ARE DISCLAIMED. SAP AG SHALL BE LIABLE FOR ANY DAMAGES
***
*** ARISING OUT OF THE USE OF THIS SOFTWARE ONLY IF CAUSED BY SAP AG'S
***
*** INTENT OR GROSS NEGLIGENCE. IN CASE SAP AG IS LIABLE UNDER THIS
***
*** AGREEMENT FOR DAMAGES CAUSED BY SAP AG'S GROSS NEGLIGENCE SAP AG
***
*** FURTHER SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL,
***
*** EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO,***
*** PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
***
*** OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
***
*** THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
***
*** OR TORT, AND SHALL NOT BE LIABLE IN EXCESS OF THE AMOUNT OF
***
*** DAMAGES TYPICALLY FORESEEABLE FOR SAP AG, WHICH SHALL IN NO EVENT
***
*** EXCEED US$ 500.000.-
***
************************************************************************
**
Timer resolution of gettimeofday() is (at least) 0.001 millisec
1 second passed in 1000.000 millisec.
================================== Current Date&Time : Fri, 13-Aug-2004 08:55:05 GMT +00:00
Operating System : Linux
-Release : 2.4.21-190-smp
Hardware/Machine : i686
scalar C-types : void* ptrdiff_t size_t time_t long int wchar_t
char
(sizes in bits) : 32 32s 32u 32s 32s 32s 32s
8u
Endianess, Charset: 1234 (LITTLE_ENDIAN), ASCII charset
Perf-Index (p-90) : dbg Timer Resolution : 0.001 millisec using "gettimeofday()"
Hostname : app-r3-portal
Current user : cb
==================================
Loading GSS-API shared library #1 "/usr/local/lib/libgssapi_krb5.so" ...
Resolving SAP SNC-Adapter functions ...
GSS-API v2 "sapsnc_init_adapter" ( opt. )
(missing)
GSS-API v2 "sapsnc_export_cname_blob" ( opt. )
(missing)
GSS-API v2 "sapsnc_import_cname_blob" ( opt. )
(missing)
Resolving Misc Support functions ...
GSS-API v1 "gss_indicate_mechs" (REQUIRED )
ok.
GSS-API v1 "gss_display_status" (REQUIRED )
ok.
GSS-API v1 "gss_release_buffer" (REQUIRED )
ok.
GSS-API v1 "gss_release_oid_set" (REQUIRED )
ok.
GSS-API v2 "gss_inquire_names_for_mech" (requested)
ok.
GSS-API v2 "gss_create_empty_oid_set" ( opt. )
ok.
GSS-API v2 "gss_add_oid_set_member" ( opt. )
ok.
GSS-API v2 "gss_test_oid_set_member" ( opt. )
ok.
Resolving Names management functions ...
GSS-API v1 "gss_compare_name" (REQUIRED )
ok.
GSS-API v1 "gss_display_name" (REQUIRED )
ok.
GSS-API v1 "gss_import_name" (REQUIRED )
ok.
GSS-API v1 "gss_release_name" (REQUIRED )
ok.
GSS-API v2 "gss_canonicalize_name" (requested)
ok.
GSS-API v2 "gss_export_name" (requested)
ok.
GSS-API v2 "gss_duplicate_name" ( opt. )
ok.
GSS-API v2 "gss_inquire_mechs_for_name" ( opt. )
(missing)
Resolving Credentials management functions ...
GSS-API v1 "gss_acquire_cred" (REQUIRED )
ok.
GSS-API v1 "gss_release_cred" (REQUIRED )
ok.
GSS-API v1 "gss_inquire_cred" (REQUIRED )
ok.
GSS-API v2 "gss_inquire_cred_by_mech" (requested)
ok.
GSS-API v2 "gss_add_cred" ( opt. )
ok.
Resolving Context-level functions ...
GSS-API v1 "gss_init_sec_context" (REQUIRED )
ok.
GSS-API v1 "gss_accept_sec_context" (REQUIRED )
ok.
GSS-API v1 "gss_delete_sec_context" (REQUIRED )
ok.
GSS-API v1 "gss_context_time" (REQUIRED )
ok.
GSS-API v2 "gss_inquire_context" (REQUIRED )
ok.
GSS-API v2 "gss_export_sec_context" (requested)
ok.
GSS-API v2 "gss_import_sec_context" (requested)
ok.
GSS-API v2 "gss_wrap_size_limit" (requested)
ok.
GSS-API v1 "gss_process_context_token" ( opt. )
ok.
Resolving V2 message protection functions ...
GSS-API v2 "gss_get_mic" (REQUIRED )
ok.
GSS-API v2 "gss_verify_mic" (REQUIRED )
ok.
GSS-API v2 "gss_wrap" (REQUIRED )
ok.
GSS-API v2 "gss_unwrap" (REQUIRED )
ok.
INcomplete GSS-API v2 implementation.
At least one of the "optional" calls is missing
Loading of GSS-API shared library completed.
Status: gss_indicate_mechs() = (GSS_S_COMPLETE)
mech_list from gss_indicate_mechs() contains 2 gss_OID elements:
{
[ 0] rfc1964)
[ 1] }
SNC will recognize this mechanism OID and force this selection ---
Selecting mechanism (1) from GSS shared library #1:
{1 3 5 1 5 2} MECH
==========
Checking supported nametypes via gss_inquire_names_for_mech()
Status: gss_inquire_names_for_mech() = (GSS_S_COMPLETE)
==========
Testing generic gssapi functions ...
----------
TEST: passing mech_list from indicate_mechs() to release_oid_set()
Status: gss_indicate_mechs() = (GSS_S_COMPLETE)
Status: gss_release_oid_set() = (GSS_S_COMPLETE)
RESULT OK
-------
TEST: passing name_types from inquire_names_for_mech() to
release_oid_set()
Status: gss_inquire_names_for_mech() = (GSS_S_COMPLETE)
name_types contains 8 gss_OID elements:
{
[ 0] [ 1] GSS_C_NT_MACHINE_UID_NAME
[ 2] [ 3] GSS_C_NT_HOSTBASED_SERVICE
[ 4] (GSS_C_NT_HOSTBASED_SERVICE_X)
[ 5] [ 6] GSS_KRB5_NT_PRINCIPAL_NAME
[ 7] rfc1964!
}
Status: gss_release_oid_set() = (GSS_S_COMPLETE)
RESULT OK
-------
==========
Testing credentials management functions ...
----------
TEST: *default* initiating credentials (acquire_cred default mechs)
Status: gss_acquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_inquire_cred Ini() = (GSS_S_COMPLETE)
RESULT OK
-------
actual_mechs from gss_acquire_cred() contains 2 gss_OID elements:
{
[ 0] [ 1] rfc1964)
}
Status: gss_display_name() = (GSS_S_COMPLETE)
----------
TEST: *default* initiating credentials (acquire_cred specific mechs)
Status: gss_acquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_inquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_compare_name() = (GSS_S_COMPLETE)
RESULT OK
-------
TEST: *default* initiating credentials (inquire_cred only)
Status: gss_inquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_compare_name() = (GSS_S_COMPLETE)
RESULT OK
-------
TEST: named default initiating credentials (acquire_cred with name)
Status: gss_acquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_inquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_compare_name() = (GSS_S_COMPLETE)
RESULT OK
-------
TEST: acquire_cred and inquire_cred with NO optional parameters
Status: gss_acquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_inquire_cred Ini() = (GSS_S_COMPLETE)
RESULT OK
-------
Status: gss_release_cred() = (GSS_S_COMPLETE)
Status: gss_release_cred() = (GSS_S_COMPLETE)
Status: gss_release_cred() = (GSS_S_COMPLETE)
Status: gss_release_cred() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
Status: gss_release_oid_set() = (GSS_S_COMPLETE)
Status: gss_release_oid_set() = (GSS_S_COMPLETE)
Status: gss_release_oid_set() = (GSS_S_COMPLETE)
Status: gss_release_oid_set() = (GSS_S_COMPLETE)
Status: gss_release_oid_set() = (GSS_S_COMPLETE)
Status: gss_release_oid_set() = (GSS_S_COMPLETE)
Status: gss_release_oid_set() = (GSS_S_COMPLETE)
My own name/identity (from default creds) resolves to
"C.Barbat at OSRAM.DE"
Nametype oid GSS_KRB5_NT_PRINCIPAL_NAME
TEST: Examining the exported name framing
Status: gss_canonicalize_name() = (GSS_S_COMPLETE)
Status: gss_export_name() = (GSS_S_COMPLETE)
exported name buffer 00000: 04 01 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 00 ......*.
H.......
00010: 00 00 11 43 2e 42 61 72 62 61 74 40 4f 53 52 41 ...C.Bar
bat at OSRA
00020: 4d 2e 44 45 M.DE
Framing details for exported name (Section 3.2, GSS-API v2 spec):
TOK_ID : 00000: 04 01
MECH_OID_LEN OID tag : 00004: 06
OID len OID elements : 00006: 2a 86 48 86 f7 12 01 02 02
rfc1964)
NAME_LEN NAME : 00013: 43 2e 42 61 72 62 61 74 C.Barbat
0001b: 40 4f 53 52 41 4d 2e 44 @OSRAM.D
00023: 45 E
Status: gss_release_name() = (GSS_S_COMPLETE)
Status: gss_release_buffer() = (GSS_S_COMPLETE)
RESULT OK
-------
Since you didn't give me a target name, I'll try to talk to myself!
TEST: acquiring *default* initiating credentials (simple)
Status: gss_acquire_cred Ini() = (GSS_S_COMPLETE)
RESULT OK
-------
TEST: acquiring *default* initiating credentials (query)
Status: gss_acquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_inquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_canonicalize_name() = (GSS_S_COMPLETE)
Status: gss_export_name() = (GSS_S_COMPLETE)
exported name buffer 00000: 04 01 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 00 ......*.
H.......
00010: 00 00 11 43 2e 42 61 72 62 61 74 40 4f 53 52 41 ...C.Bar
bat at OSRA
00020: 4d 2e 44 45 M.DE
Status: gss_display_name() = (GSS_S_COMPLETE)
gss_display_name() returned "C.Barbat at OSRAM.DE"
printable name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
input name buffer 00000: 04 01 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 00 ......*.
H.......
00010: 00 00 11 43 2e 42 61 72 62 61 74 40 4f 53 52 41 ...C.Bar
bat at OSRA
00020: 4d 2e 44 45 M.DE
nametype oid GSS_C_NT_EXPORTED_NAME
Status: gss_import_name() = (GSS_S_COMPLETE)
Status: gss_display_name() = (GSS_S_COMPLETE)
gss_display_name() returned "C.Barbat at OSRAM.DE"
printable name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
newly imported Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_canonicalize_name() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
Status: gss_compare_name() = (GSS_S_COMPLETE)
Name transformation: compare_name(src_name,dst_name)=TRUE
Status: gss_release_cred() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
Status: gss_acquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
RESULT OK
-------
TEST: acquiring initiating credentials (gss_name_t)
Status: gss_acquire_cred Ini() = (GSS_S_COMPLETE)
RESULT OK
-------
TEST: acquiring initiating credentials (printable name)
input name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
nametype oid GSS_KRB5_NT_PRINCIPAL_NAME
Status: gss_import_name() = (GSS_S_COMPLETE)
Status: gss_display_name() = (GSS_S_COMPLETE)
gss_display_name() returned "C.Barbat at OSRAM.DE"
printable name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
newly imported Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_acquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
RESULT OK
-------
TEST: acquiring initiating credentials (can. printable name)
input name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
nametype oid GSS_KRB5_NT_PRINCIPAL_NAME
Status: gss_import_name() = (GSS_S_COMPLETE)
Status: gss_display_name() = (GSS_S_COMPLETE)
gss_display_name() returned "C.Barbat at OSRAM.DE"
printable name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
newly imported Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_canonicalize_name() = (GSS_S_COMPLETE)
Status: gss_export_name() = (GSS_S_COMPLETE)
exported name buffer 00000: 04 01 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 00 ......*.
H.......
00010: 00 00 11 43 2e 42 61 72 62 61 74 40 4f 53 52 41 ...C.Bar
bat at OSRA
00020: 4d 2e 44 45 M.DE
Status: gss_display_name() = (GSS_S_COMPLETE)
gss_display_name() returned "C.Barbat at OSRAM.DE"
printable name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
input name buffer 00000: 04 01 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 00 ......*.
H.......
00010: 00 00 11 43 2e 42 61 72 62 61 74 40 4f 53 52 41 ...C.Bar
bat at OSRA
00020: 4d 2e 44 45 M.DE
nametype oid GSS_C_NT_EXPORTED_NAME
Status: gss_import_name() = (GSS_S_COMPLETE)
Status: gss_display_name() = (GSS_S_COMPLETE)
gss_display_name() returned "C.Barbat at OSRAM.DE"
printable name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
newly imported Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_canonicalize_name() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
Status: gss_compare_name() = (GSS_S_COMPLETE)
Name transformation: compare_name(src_name,dst_name)=TRUE
Status: gss_release_name() = (GSS_S_COMPLETE)
Status: gss_acquire_cred Ini() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
RESULT OK
-------
TEST: acquiring accepting credentials for target (printable name)
for identity "C.Barbat at OSRAM.DE"
input name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
nametype oid GSS_KRB5_NT_PRINCIPAL_NAME
Status: gss_import_name() = (GSS_S_COMPLETE)
Status: gss_display_name() = (GSS_S_COMPLETE)
gss_display_name() returned "C.Barbat at OSRAM.DE"
printable name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
newly imported Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_acquire_cred Acc() = (GSS_S_FAILURE)
gss_display_status(0x000d0000,GSS_S_GSS_CODE) Status: gss_display_status() = (GSS_S_COMPLETE)
"Miscellaneous failure"
gss_display_status(0x00000002,GSS_S_MECH_CODE) Status: gss_display_status() = (GSS_S_COMPLETE)
"No such file or directory"
Status: gss_release_name() = (GSS_S_COMPLETE)
RESULT NOT ok (rc=1)
-------
TEST: acquiring accepting credentials for target (can. printable name)
input name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
nametype oid GSS_KRB5_NT_PRINCIPAL_NAME
Status: gss_import_name() = (GSS_S_COMPLETE)
Status: gss_display_name() = (GSS_S_COMPLETE)
gss_display_name() returned "C.Barbat at OSRAM.DE"
printable name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
newly imported Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_canonicalize_name() = (GSS_S_COMPLETE)
Status: gss_export_name() = (GSS_S_COMPLETE)
exported name buffer 00000: 04 01 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 00 ......*.
H.......
00010: 00 00 11 43 2e 42 61 72 62 61 74 40 4f 53 52 41 ...C.Bar
bat at OSRA
00020: 4d 2e 44 45 M.DE
Status: gss_display_name() = (GSS_S_COMPLETE)
gss_display_name() returned "C.Barbat at OSRAM.DE"
printable name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
input name buffer 00000: 04 01 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 00 ......*.
H.......
00010: 00 00 11 43 2e 42 61 72 62 61 74 40 4f 53 52 41 ...C.Bar
bat at OSRA
00020: 4d 2e 44 45 M.DE
nametype oid GSS_C_NT_EXPORTED_NAME
Status: gss_import_name() = (GSS_S_COMPLETE)
Status: gss_display_name() = (GSS_S_COMPLETE)
gss_display_name() returned "C.Barbat at OSRAM.DE"
printable name buffer 00000: 43 2e 42 61 72 62 61 74 40 4f 53 52 41 4d 2e 44 C.Barbat
@OSRAM.D
00010: 45 E
newly imported Status: gss_release_buffer() = (GSS_S_COMPLETE)
Status: gss_canonicalize_name() = (GSS_S_COMPLETE)
Status: gss_release_name() = (GSS_S_COMPLETE)
Status: gss_compare_name() = (GSS_S_COMPLETE)
Name transformation: compare_name(src_name,dst_name)=TRUE
Status: gss_release_name() = (GSS_S_COMPLETE)
Status: gss_acquire_cred Acc() = (GSS_S_FAILURE)
gss_display_status(0x000d0000,GSS_S_GSS_CODE) Status: gss_display_status() = (GSS_S_COMPLETE)
"Miscellaneous failure"
gss_display_status(0x00000002,GSS_S_MECH_CODE) Status: gss_display_status() = (GSS_S_COMPLETE)
"No such file or directory"
Status: gss_release_name() = (GSS_S_COMPLETE)
RESULT NOT ok (rc=1)
-------
TEST: acquiring *default* accepting credentials (simple)
Status: gss_acquire_cred Acc() = (GSS_S_COMPLETE)
Status: gss_inquire_cred Acc() = (GSS_S_COMPLETE)
Now I need your help. What could I do next, in order to understand what
went wrong and how to correct it?
Any help or hint is greatly appreciated.
C. Barbat
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list