SSPI/GSS-API : mech_dh: Invalid or unknown error
Jacques Lebastard
jacques.lebastard at evidian.com
Fri Apr 15 07:48:32 EDT 2005
Wyllys Ingersoll a écrit :
> Jacques Lebastard wrote:
>
>> The Kerberos OID is specified when invoking gss_acquire_cred
>> within=20 GSS-API server.
>
>
> OK, but is the gss server able to actually acquire these creds? Usually,
> the server gets its credentials from a keytab file (/etc/krb5/krb5.keytab
> on Solaris 9).
Server has no problem acquiring its own cred (I even tried usage =
GSS_C_BOTH to make sure there is no problem b/w Solaris server and
Active Directory KDC).
>> > To make the system default to using the Kerberos mech, adjust the
>> > lines in /etc/gss/mech file so that kerberos_v5 mechanism appears
>> > before the mech_dh mechanisms.
>>
>>
>> Changing the entries in the mech file and restarting the GSS-API
>> server=20 did not solve the problem. Would a server reboot make any
>> difference ?
>
>
> No, rebooting Solaris will probably not help.
>
> What is the gssapi client requesting in it's initial token?
> You might try analyzing the token that the gss-server is receiving
> to make sure it is getting an initial token that requests the Kerberos
> OID.
It does. The sole difference b/w accepted tokens and the refused one is
the contents of the encrypted parts.
Anyway, the problem has been identified: the customer just informed me
that the clock of the workstation was not properly synchronized.
However, if I try it here, I get an explicit GSS-minor error message.
Thanks for your contribution,
--
Mr. Jacques LEBASTARD mailto:jacques.lebastard at evidian.com
EVIDIAN S.A. www.evidian.com
Rue Jean Jaurès Tel: +33 1 30 80 77 86
F-78340 LES CLAYES SOUS BOIS Fax: +33 1 30 80 77 99
More information about the Kerberos
mailing list