Error using GSS-API on Solaris 9 Platform

Ahluwalia, Ish iahluwalia at sonusnet.com
Mon Aug 23 18:44:43 EDT 2004 

Hi All:

I'm a newbie to Kerberos world and this is my first time using GSS-API ever.  I'm trying to use GSS-API on Solaris 9 platform.  From what I have read so far, it seems like there is no need to install the MIT version of Kerberos on Solaris since SUN is fully compatible with it.  While writing a program and using GSS-API, I'm getting the following Major and Minor errors:
********Errors******************
GSS-API error: acquiring credentials:  Major Error: No credentials were supplied, or the credentials were unavailable or inaccessible
GSS-API error: acquiring credentials:  Minor Error: mech_dh: Success
Acquiring credentials - Maj Stat: 458752 Min Stat: 0
***********Error End*************************************

I'm using the following GSS-API call and the at the completion of the call I get the above major and minor errors.
maj_stat = gss_acquire_cred(&min_stat, server_name, 0,
                                desiredMechs, GSS_C_ACCEPT,
                                server_cred, NULL, NULL); 

I'm acting as Kerberos Service which will only accept Contexts.  I beleive I have my krb5.conf properly setup and also KDC is running on a different machine  The way I understand GSS-API and Solaris, I don't need to construct mechanism OIDs since by default Kerberos V5 is the default mechanism of GSS-API.  So, I'm using the default mechanism by specifying "GSS_C_NULL_OID" for the desired mechanism.  I get the above mentioned errors.  The minor error contains a text "mech_dh" which caught my eye and didn't seem right.  I further explored to find what other mechanisms are supported and found a solaris mechanism file. The mechanism file contians Diffe-Hielleman and Kerberos_v5 as the supported mechanism.  As per GSS-API IETF RFC, kerberos_v5 is the default mechanism for GSS-API.  So, I assumed may be Diffe-Hielmman is the default mechanism for some reason on Solaris. 

So, just to be sure, I constructed  my own mechanism OID  using kerberos_v5 as mechanism type and tried the same thing - but got the following results:
********** Error******************************************
GSS-API error: acquiring credentials: Major Error: Unspecified GSS failure.  Minor code may provide more information
GSS-API error: acquiring credentials:  Minor Error: Unknown code 2
Acquiring credentials - Maj Stat: 851968 Min Stat: 2
*********Error End*************************************************************************

I've also tried the "gss_add_cred" command and get the same exact erros in both scenarios.  I believe I've to acquire credentials due to the fact that I'm an Application Service which will be accepting AP-REQ from a client which has already acquired a TGT and TGS from KDC to use my service.

Any help will be greatly appreciated!!!!

Thanks. 

Ish.....

More information about the Kerberos mailing list