SSPI/GSS-API : mech_dh: Invalid or unknown error

Jacques Lebastard jacques.lebastard at evidian.com
Tue Apr 12 14:01:48 EDT 2005 

Wyllys Ingersoll a =E9crit :
>=20
> mech_dh is the Diffie-Hellman mechanism in Solaris.
>=20
> On older systems, this is the default mech that gets

Solaris 9 is in use.

> used if the caller does not specify the Kerberos OID when
> making the init/accept calls.

The Kerberos OID is specified when invoking gss_acquire_cred within=20
GSS-API server.

> To make the system default to using the Kerberos mech,
> adjust the lines in /etc/gss/mech file so that kerberos_v5
> mechanism appears before the mech_dh mechanisms.

Changing the entries in the mech file and restarting the GSS-API server=20
did not solve the problem.
Would a server reboot make any difference ?

> -Wyllys
>=20
>=20
> Jacques Lebastard wrote:
>=20
>>  Hi folks,
>>
>>  I wrote a SSPI Client / GSS-API Server application that works fine in=

>>  a tree of ActiveDirectory domains / Solaris realm environment where
>>  the KDC are the AD domain controlers.
>>
>>  Server application is located in mytree.dom and users in
>>  child.mytree.dom.
>>
>>  However, I sometimes get an error for some users. These users can
>>  establish a context from W2K workstations but cannot from WinXP
>>  workstations (both workstations are located in child.mytree.dom).
>>
>>  The Solaris GSS-API server shows the following error message for
>>  connections established on WinXP ws:
>>
>>  MAJOR(gss_accept_sec_context) : Unspecified GSS failure. Minor code
>>  may provide more information MINOR(gss_accept_sec_context) : mech_dh:=

>>  Invalid or unknown error
>>
>>
>>  What does 'mech_dh' mean ? Diffie-Hellman mechanism ???
>>
>>  What differences between Kerberos SSP W2K SP4 and WinXP SP 1 ?
>>
>>
>>  Thanks for any hint, -- Jacques
>>
>>  ________________________________________________ Kerberos mailing
>>  list Kerberos at mit.edu
>>  https://mailman.mit.edu/mailman/listinfo/kerberos
>=20
>=20
>=20
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>=20

More information about the Kerberos mailing list