Error using GSS-API on Solaris 9 Platform

Wyllys Ingersoll wyllys.ingersoll at sun.com
Wed Aug 25 09:23:54 EDT 2004 

Ahluwalia, Ish wrote:

>Hi All:
>
>I'm a newbie to Kerberos world and this is my first time using GSS-API ever.  I'm trying to use GSS-API on Solaris 9 platform.  From what I have read so far, it seems like there is no need to install the MIT version of Kerberos on Solaris since SUN is fully compatible with it.  While writing a program and using GSS-API, I'm getting the following Major and Minor errors:
>********Errors******************
>GSS-API error: acquiring credentials:  Major Error: No credentials were supplied, or the credentials were unavailable or inaccessible
>GSS-API error: acquiring credentials:  Minor Error: mech_dh: Success
>Acquiring credentials - Maj Stat: 458752 Min Stat: 0
>***********Error End*************************************
>
>I'm using the following GSS-API call and the at the completion of the call I get the above major and minor errors.
>maj_stat = gss_acquire_cred(&min_stat, server_name, 0,
>                                desiredMechs, GSS_C_ACCEPT,
>                                server_cred, NULL, NULL); 
>
>I'm acting as Kerberos Service which will only accept Contexts.  I beleive I have my krb5.conf properly setup and also KDC is running on a different machine  The way I understand GSS-API and Solaris, I don't need to construct mechanism OIDs since by default Kerberos V5 is the default mechanism of GSS-API. 
>
Kerberos V5 is the default mechanism *if* it is listed 1st in 
/etc/gss/mech (config file for GSSAPI).
Solaris treats the 1st mechanism listed in this file as the default 
mechanism.

> So, I'm using the default mechanism by specifying "GSS_C_NULL_OID" for the desired mechanism.  I get the above mentioned errors.  The minor error contains a text "mech_dh" which caught my eye and didn't seem right.  I further explored to find what other mechanisms are supported and found a solaris mechanism file. The mechanism file contians Diffe-Hielleman and Kerberos_v5 as the supported mechanism.  As per GSS-API IETF RFC, kerberos_v5 is the default mechanism for GSS-API.  So, I assumed may be Diffe-Hielmman is the default mechanism for some reason on Solaris. 
>
>So, just to be sure, I constructed  my own mechanism OID  using kerberos_v5 as mechanism type and tried the same thing - but got the following results:
>********** Error******************************************
>GSS-API error: acquiring credentials: Major Error: Unspecified GSS failure.  Minor code may provide more information
>GSS-API error: acquiring credentials:  Minor Error: Unknown code 2
>Acquiring credentials - Maj Stat: 851968 Min Stat: 2
>*********Error End*************************************************************************
>
>I've also tried the "gss_add_cred" command and get the same exact erros in both scenarios.  I believe I've to acquire credentials due to the fact that I'm an Application Service which will be accepting AP-REQ from a client which has already acquired a TGT and TGS from KDC to use my service.
>
>Any help will be greatly appreciated!!!!
>  
>
It sounds like your server process does not have access to its credentials.
Is the server running with permissions to read the keytab file that 
contains its keys?
If you are using a standard service like "host/foo.bar.com", then its 
probably in the
system keytab (/etc/krb5/krb5.keytab) and your process will need root 
privilege to read
that file.

If your service principal keys are not in a keytab, they should be added 
using kadmin.

kadmin > ktadd host/foo.bar.com

-Wyllys

More information about the Kerberos mailing list