gsstest-1.27 and krb5-1.4.3 problem on Solaris 10
Udo Fink
ufink at gmx.de
Sun Apr 23 16:42:40 EDT 2006
Hi All,
I'm facing some problems with gsstest.
I've compiled and installed krb5-1.4.3, gsstest-1.27 and I'm using the SNC
Adapter. My KDC is a Win2k3 SP1 DC.
Before running gsstest I did a:
kinit -k -t /etc/krb5.keytab host/tcsun20.deu.xx.com at SES2003.BBN.XX.COM
klist produces:
---------------
Ticket cache: FILE:/tmp/krb5cc_20101
Default principal: host/tcsun20.deu.xx.com at SES2003.BBN.XX.COM
Valid starting Expires Service principal
04/23/06 22:07:13 04/24/06 08:07:13
krbtgt/SES2003.BBN.XX.COM at SES2003.BBN.XX.COM
renew until 04/24/06 22:07:13
04/23/06 22:11:06 04/24/06 08:07:13
host/tcsun20.deu.xx.com at SES2003.BBN.XX.COM
renew until 04/24/06 22:07:13
Kerberos 4 ticket cache: /tmp/tkt20101
klist: You have no tickets cached
---------------
I called gsstest with following parameters:
../gsstest-1.27/sun_64/gsstest -l ./snckrb5.so
gsstest seems to be running pretty much okay.
However I'm getting one error in the test summary:
(( 2 b ))
Observed sizes of names:
printable names [ 41 .. 42 ] bytes
exported binary canonical names [ 61 .. 61 ] bytes
*FAILING* SAP constraint:
==> gss_display_name() returned 8 name(s) with leading whitespace!
Support of Hostbased Service Names:
gss_inquire_names_for_mech() includes GSS_C_NT_HOSTBASED_SERVICE,n and
our sample hostbased service name is accepted.
Unfortunately I don't know how serious this error is and what can be done
about it?
Any help or suggestions would be greatly appreciated!
Below is an excerpt from the gsstest output, which shows some more details
on the errors produced.
Best Regards,
Udo
===========================================================
Loading GSS-API shared library #1 "./snckrb5.so" ...
... was loaded as an SAP SNC-Adapter.
mech_list from gss_indicate_mechs() #1 contains 2 gss_OID elements:
{
[ 0] = {1 2 840 113554 1 2 2} MECH= Kerberos 5 (v2 - rfc1964)
[ 1] = {1 3 5 1 5 2} MECH= Kerberos 5 (PRE-rfc1964)
}
Selecting mechanism (0) from GSS shared library #1:
{1 2 840 113554 1 2 2} MECH= Kerberos 5 (v2 - rfc1964)
====================
... SNIP ...
====================
Testing credentials management functions ...
----------
TEST: *default* initiating credentials (acquire_cred default mechs)
RESULT OK
actual_mechs from gss_acquire_cred() contains 2 gss_OID elements:
{
[ 0] = {1 3 5 1 5 2} MECH= Kerberos 5 (PRE-rfc1964)
[ 1] = {1 2 840 113554 1 2 2} MECH= Kerberos 5 (v2 - rfc1964)
}
----------
TEST: *default* initiating credentials (acquire_cred specific mechs)
RESULT OK
TEST: *default* initiating credentials (inquire_cred only)
RESULT OK
TEST: named default initiating credentials (acquire_cred with name)
RESULT OK
TEST: acquire_cred and inquire_cred with NO optional parameters
RESULT OK
My own name/identity (from default creds) resolves to
"host/tcsun20.deu.xx.com at SES2003.BBN.XX.COM"
Nametype oid = {1 2 840 113554 1 2 2 1} NT=
GSS_KRB5_NT_PRINCIPAL_NAME
TEST: Examining the exported name framing
Framing details for exported name (Section 3.2, GSS-API v2 spec):
TOK_ID : 00000: 04 01
MECH_OID_LEN = 11 : 00002: 00 0b
OID tag : 00004: 06
OID len = 9 : 00005: 09
OID elements : 00006: 2a 86 48 86 f7 12 01 02 02
= {1 2 840 113554 1 2 2} MECH= Kerberos 5 (v2 - rfc1964)
NAME_LEN = 42 : 0000f: 00 00 00 2a
NAME : 00013: 68 6f 73 74 2f 74 63 73 host/tcs
0001b: 75 6e 32 30 2e 64 65 75 un20.deu
00023: 2e 68 70 2e 63 6f 6d 40 .xx.com@
0002b: 53 45 53 32 30 30 33 2e SES2003.
00033: 42 42 4e 2e 48 50 2e 43 BBN.XX.C
0003b: 4f 4d OM
RESULT OK
Since you didn't give me a target name, I'll try to talk to myself!
TEST: acquiring *default* initiating credentials (simple)
RESULT OK
TEST: acquiring *default* initiating credentials (query)
RESULT OK
TEST: acquiring initiating credentials (gss_name_t)
RESULT OK
TEST: acquiring initiating credentials (printable name)
RESULT OK
TEST: acquiring initiating credentials (can. printable name)
RESULT OK
TEST: acquiring accepting credentials for target (printable name)
for identity "host/tcsun20.deu.xx.com at SES2003.BBN.XX.COM"
canonical identity "host/tcsun20.deu.xx.com at SES2003.BBN.XX.COM"
RESULT OK
TEST: acquiring accepting credentials for target (can. printable name)
RESULT OK
TEST: acquiring *default* accepting credentials (simple)
ERROR: gss_inquire_cred() succeeded but failed to return name!
RESULT NOT ok (rc=1)
-------
TEST: acquiring *default* accepting credentials (query)
ERROR: gss_inquire_cred() succeeded but failed to return name!
RESULT NOT ok (rc=1)
-------
====================
Testing names management functions ...
----------
TEST: Testing consistency of gss_name_t conversions
RESULT OK
TEST: Testing consistency of gss_name_t conversions
RESULT OK
TEST: Testing support of hostbased service name "ftp at tcsun20"
Hostbased service name is recognized and transformed to
this name = "ftp/tcsun20.deu.xx.com at SES2003.BBN.XX.COM"
With alternative nametype OID hostbased service name is transformed to
this name = "ftp/tcsun20.deu.xx.com at SES2003.BBN.XX.COM"
RESULT OK
====================
Context establishment functions ...
----------
TEST: Testing sec_context est.: ini_cred=SIMPLE, acc_cred=GSSNAMED
RESULT OK
TEST: Testing sec_context est.: ini_cred=CHECKED, acc_cred=GSSNAMED
RESULT OK
TEST: Testing sec_context est.: ini_cred=GSSNAMED, acc_cred=GSSNAMED
RESULT OK
TEST: Testing sec_context est.: ini_cred=PRNAMED, acc_cred=GSSNAMED
RESULT OK
TEST: Testing sec_context est.: ini_cred=PRNAMED_VIA_XP, acc_cred=GSSNAMED
RESULT OK
TEST: Testing sec_context est.: ini_cred=SIMPLE, acc_cred=CHECKED
ERROR: gss_inquire_cred() succeeded but failed to return name!
RESULT NOT ok (rc=1)
-------
TEST: Testing 10 sec_context est.: ini_cred=CHECKED, acc_cred=GSSNAMED
RESULT OK
--
"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
More information about the Kerberos
mailing list