Problems acquiring credentials
McIntire, Kyle
McIntirK at kochind.com
Thu May 25 15:00:48 EDT 2006
I am in the process of writing a server that needs to use Kerberos 5 and
the GSS-API to authenticate. I am using the gss-server program from the
latest Kerberos distribution as an example, but I am not having much
success. Being a newbie to the GSS-API, I'm sure it's probably something
really silly that is getting me hung up.
Anyway, I modified the "server_acquire_creds" function in gss-server.c
as follows:
========================================================================
=========
static int server_acquire_creds(service_name, server_creds)
char *service_name;
gss_cred_id_t *server_creds;
{
gss_buffer_desc name_buf;
gss_name_t server_name;
OM_uint32 maj_stat, min_stat;
name_buf.value = service_name;
name_buf.length = strlen(name_buf.value) + 1;
printf( "\nname_buf.length = %d\n",
name_buf.length );
maj_stat = gss_import_name(&min_stat,
&name_buf,
(gss_OID)GSS_C_NT_HOSTBASED_SERVICE,
&server_name);
if (maj_stat != GSS_S_COMPLETE)
{
display_status("importing name", maj_stat, min_stat);
return -1;
}
else
{
printf( "\ngss_import_name - OK\n" );
}
maj_stat = gss_acquire_cred(&min_stat,
server_name,
0,
GSS_C_NULL_OID_SET,
GSS_C_ACCEPT,
server_creds,
NULL,
NULL);
if (maj_stat != GSS_S_COMPLETE) {
display_status("acquiring credentials", maj_stat, min_stat);
return -1;
}
(void) gss_release_name(&min_stat, &server_name);
return 0;
}
========================================================================
===============
When I kinit and run the gss-server program, I get the following
results:
========================================================================
===============
mcintirk at kmstakrbdev:~$ kinit
Password for mcintirk at KMSTADEV.KOCHIND.COM:
mcintirk at kmstakrbdev:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mcintirk at KMSTADEV.KOCHIND.COM
Valid starting Expires Service principal
05/25/06 18:20:39 05/26/06 04:20:39
krbtgt/KMSTADEV.KOCHIND.COM at KMSTADEV.KOCHIND.COM
renew until 05/25/06 18:20:39
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
mcintirk at kmstakrbdev:~$ gss-server -port 999 -verbose
expsrvr at kmstakrbdev.kochind.com
service_name = expsrvr at kmstakrbdev.kochind.com
name_buf.length = 32
gss_import_name - OK
GSS-API error acquiring credentials: Miscellaneous failure
GSS-API error acquiring credentials: No principal in keytab matches
desired name
========================================================================
==============
My /etc/krb5.keytab file has what I think are the appropriate entries
because I can klist and see them, as well as being able to kinit using
the service principal "expsrvr/kmstakrbdev.kochind.com" using the
keytab:
========================================================================
==============
mcintirk at kmstakrbdev:~$ klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
------------------------------------------------------------------------
--
2 expsrvr/kmstakrbdev.kochind.com at KMSTADEV.KOCHIND.COM (Triple DES
cbc mode with HMAC/sha1)
2 expsrvr/kmstakrbdev.kochind.com at KMSTADEV.KOCHIND.COM (DES cbc mode
with CRC-32)
3 host/kmstakrbdev.kochind.com at KMSTADEV.KOCHIND.COM (Triple DES cbc
mode with HMAC/sha1)
3 host/kmstakrbdev.kochind.com at KMSTADEV.KOCHIND.COM (DES cbc mode
with CRC-32)
mcintirk at kmstakrbdev:~$ kinit -k expsrvr/kmstakrbdev.kochind.com
mcintirk at kmstakrbdev:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: expsrvr/kmstakrbdev.kochind.com at KMSTADEV.KOCHIND.COM
Valid starting Expires Service principal
05/25/06 18:19:19 05/26/06 04:19:19
krbtgt/KMSTADEV.KOCHIND.COM at KMSTADEV.KOCHIND.COM
renew until 05/25/06 18:19:19
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
========================================================================
=============
I've included a kadmin listing of the server principal involved:
========================================================================
=============
mcintirk at kmstakrbdev:~$ kadmin
Couldn't open log file /var/log/kadmin.log: Permission denied
Authenticating as principal mcintirk/admin at KMSTADEV.KOCHIND.COM with
password.
Password for mcintirk/admin at KMSTADEV.KOCHIND.COM:
kadmin: list_principals
K/M at KMSTADEV.KOCHIND.COM
expsrvr/kmstakrbdev.kochind.com at KMSTADEV.KOCHIND.COM
host/kmstakrbdev.kochind.com at KMSTADEV.KOCHIND.COM
kadmin/admin at KMSTADEV.KOCHIND.COM
kadmin/changepw at KMSTADEV.KOCHIND.COM
kadmin/history at KMSTADEV.KOCHIND.COM
krbtgt/KMSTADEV.KOCHIND.COM at KMSTADEV.KOCHIND.COM
mcintirk/admin at KMSTADEV.KOCHIND.COM
mcintirk at KMSTADEV.KOCHIND.COM
kadmin: get_principal expsrvr/kmstakrbdev.kochind.com
Principal: expsrvr/kmstakrbdev.kochind.com at KMSTADEV.KOCHIND.COM
Expiration date: [never]
Last password change: Fri May 19 20:39:17 UTC 2006
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri May 19 20:39:17 UTC 2006
(mcintirk/admin at KMSTADEV.KOCHIND.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
kadmin: quit
========================================================================
===========
At this point, I'm stumped. I appreciate any help you can give.
Thanks.
Kyle McIntire
More information about the Kerberos
mailing list