gss_init_sec_context failing with SPNEGO

Aakash aakash.m.joshi at gmail.com
Thu Sep 6 05:38:12 EDT 2007 

Hi,

I am facing some problems while doing a gss_init_sec_context with
SPNEGO. take a look at the below snippet.

The API gss_init_sec_context_spnego is a wrapper over
gss_init_sec_context call. It prepares a negotiate token for the
initiator and encapsulates in a spnego packet. It will be called only
once.

During the first loop it creates the NegTokenInit token,
gss_init_sec_context_spnego returns GSS_S_CONTINUE_NEEDED (as
expected). Also I checked from ethereal, the server is responding with
a accept_completed and the negotiated mechanism.

Now as per RFC 4178 (SPNEGO), the client has to invoke
gss_init_sec_context with
input_token = negTokenTarg

I have done so, but gss_init_sec_context fails giving the reason
GSS-API error Error initializing security context: Invalid token was
supplied
GSS-API error Error initializing security context: No error

Am I doing something wrong while responding again back to the
server ??

<snip>
	do
	{
		OM_uint32 ret_flags1;
		fprintf(stderr, "NEXT.............................3\n");

		// first time call the wrapper function for spnego implementation
		if (neg_state == 0)
		{
			printf ("executing spnego init\n");
			gss_rc = gss_init_sec_context_spnego(&minor_status,
GSS_C_NO_CREDENTIAL,
				&context_handle, serv_name, mech_type, GSS_C_MUTUAL_FLAG |
GSS_C_REPLAY_FLAG | GSS_C_DELEG_FLAG,
				0, NULL, &input_token, NULL, &output_token, &ret_flags1, NULL);

			neg_state = 1;
		}
		else
		{
			printf ("executing normal init\n");
			gss_rc = gss_init_sec_context(&minor_status, GSS_C_NO_CREDENTIAL,
				&context_handle, serv_name, mech_type, GSS_C_MUTUAL_FLAG |
GSS_C_REPLAY_FLAG | GSS_C_DELEG_FLAG,
				0, NULL, &input_token, NULL, &output_token, &ret_flags1, NULL);
		}

		if (gss_rc != GSS_S_COMPLETE && gss_rc != GSS_S_CONTINUE_NEEDED)
		{
			display_status ("Error initializing security context", gss_rc,
minor_status);
			goto cleanup;
		}

		cbv.bv_val = (char*)output_token.value;
		cbv.bv_len = output_token.length;

		retval = ldap_sasl_bind_s(ld, NULL, "GSS-SPNEGO", &cbv, NULL, NULL,
&sbv);

		if (!(retval == LDAP_SASL_BIND_IN_PROGRESS || retval ==
LDAP_SUCCESS))
		{
			fprintf(stderr, "SASL Bind error:%s\n", ldap_err2string(retval));
			goto cleanup;
		}

		if (sbv)
		{
			input_token.value = sbv->bv_val;
			input_token.length  = sbv->bv_len;
		}

	}while (gss_rc == GSS_S_CONTINUE_NEEDED);
</snip>

More information about the Kerberos mailing list