Issue with gssapi on OpenSolaris

Markus Moeller huaraz at moeller.plus.com
Sat Oct 8 07:18:21 EDT 2005 

I have a problem on OpenSolaris with the GSSAPI. When I use the MIT
gss-sample program (with minor changes e.g. included gssapi header file)
I don't get all the context flags transfered to the server. It looks like a 
bug
somewhere in the gssapi. Has anybody seen this issue or know what is
wrong in the sample program ? BTW it works on Solaris 10.

Thanks
Markus

On OpenSolaris:

$ uname -a
SunOS server1.test.com 5.11 snv_23 i86pc i386 i86pc

The first and second request sends flags:
GSS_C_MUTUAL_FLAG
GSS_C_REPLAY_FLAG
GSS_C_CONF_FLAG
GSS_C_IN TEG_FLAG


$ ./gss-client -port 10000 server1.test.com host Hello
Sending init_sec_context token (size=1759)...continue needed...

context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
"user1 at TEST.COM" to "host/server1.test.com at TEST.COM", lifetime 24621, flags
1b6, locally initiated, open
Name type of source name is { 1 2 840 113554 1 2 1 1 }.
Mechanism { 1 2 840 113554 1 2 2 } supports 8 names
0: { 1 2 840 113554 1 2 1 1 }
1: { 1 2 840 113554 1 2 1 2 }
2: { 1 2 840 113554 1 2 1 3 }
3: { 1 3 6 1 5 6 2 }
4: { 1 3 6 1 5 6 2 }
5: { 1 3 6 1 5 6 4 }
6: { 1 2 840 113554 1 2 1 1 }
7: { 1 2 840 113554 1 2 2 2 }
Signature verified.

$ ./gss-client -port 10000 server1.test.com host Hello
Sending init_sec_context token (size=1758)...continue needed...

context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
"user1 at TEST.COM" to "host/server1.test.com at TEST.COM", lifetime 24618, flags
1b6, locally initiated, open
Name type of source name is { 1 2 840 113554 1 2 1 1 }.
Mechanism { 1 2 840 113554 1 2 2 } supports 8 names
0: { 1 2 840 113554 1 2 1 1 }
1: { 1 2 840 113554 1 2 1 2 }
2: { 1 2 840 113554 1 2 1 3 }
3: { 1 3 6 1 5 6 2 }
4: { 1 3 6 1 5 6 2 }
5: { 1 3 6 1 5 6 4 }
6: { 1 2 840 113554 1 2 1 1 }
7: { 1 2 840 113554 1 2 2 2 }
Signature verified.


The server receives for the first request:
GSS_C_DELEG_FLAG
GSS_C_REPLAY_FLAG
GSS_C_INTEG_FLAG

an d for the second only:
GSS_C_DELEG_FLAG


$ /src/user1/gss-sample/gss-server -port 10000 host
context flag: GSS_C_DELEG_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_INTEG_FLAG
Accepted connection: "user1 at TEST.COM"
Received message: "Hello"
NOOP token
context flag: GSS_C_DELEG_FLAG
Accepted connection: "user1 at TEST.COM"
Received message: "Hello"
NOOP token


Wheras on Solaris 10 I get the expected result with the server getting the
exact 4 flags the client sent:
GSS_C_MUTUAL_FLAG
GSS_C_REPLAY_FLAG
GSS_C_CONF_FLAG
GSS_C_INT EG_FLAG


Solaris 10
$ uname -a
SunOS server2.test.com 5.10 Generic_118822-18 sun4u sparc SUNW,Ultra-5_10


$ ./gss-client -port 10000 server2.test.com host Hello
Sending init_sec_context token (size=1755)...continue needed...

context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
"user1 at TEST.COM" to "host/server2.test.com at TEST.COM", lifetime 26716, flags
1b6, locally initiated, open
Name type of source name is { 1 2 840 113554 1 2 1 1 }.
Mechanism { 1 2 840 113554 1 2 2 } supports 8 names
0: { 1 2 840 113554 1 2 1 1 }
1: { 1 2 840 113554 1 2 1 2 }
2: { 1 2 840 113554 1 2 1 3 }
3: { 1 3 6 1 5 6 2 }
4: { 1 3 6 1 5 6 2 }
5: { 1 3 6 1 5 6 4 }
6: { 1 2 840 113554 1 2 1 1 }
7: { 1 2 840 113554 1 2 2 2 }
Signature verified.



$ ./gss-client -port 10000 server2.test.com host Hello
Sending init_sec_context token (size=1756)...continue needed...

context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
"user1 at TEST.COM" to "host/server2.test.com at TEST.COM", lifetime 26714, flags
1b6, locally initiated, open
Name type of source name is { 1 2 840 113554 1 2 1 1 }.
Mechanism { 1 2 840 113554 1 2 2 } supports 8 names
0: { 1 2 840 113554 1 2 1 1 }
1: { 1 2 840 113554 1 2 1 2 }
2: { 1 2 840 113554 1 2 1 3 }
3: { 1 3 6 1 5 6 2 }
4: { 1 3 6 1 5 6 2 }
5: { 1 3 6 1 5 6 4 }
6: { 1 2 840 113554 1 2 1 1 }
7: { 1 2 840 113554 1 2 2 2 }
Signature verified.

$ ./gss-server -port 10000 host
context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
Accepted connection: "user1 at TEST.COM"
Received message: "Hello"
NOOP token
context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
Accepted connection: "user1 at TEST.COM"
Received message: "Hello"
NOOP token

More information about the Kerberos mailing list