gss_init_sec_context failing with SPNEGO
Aakash
aakash.m.joshi at gmail.com
Thu Sep 6 05:38:12 EDT 2007
Hi,
I am facing some problems while doing a gss_init_sec_context with
SPNEGO. take a look at the below snippet.
The API gss_init_sec_context_spnego is a wrapper over
gss_init_sec_context call. It prepares a negotiate token for the
initiator and encapsulates in a spnego packet. It will be called only
once.
During the first loop it creates the NegTokenInit token,
gss_init_sec_context_spnego returns GSS_S_CONTINUE_NEEDED (as
expected). Also I checked from ethereal, the server is responding with
a accept_completed and the negotiated mechanism.
Now as per RFC 4178 (SPNEGO), the client has to invoke
gss_init_sec_context with
input_token = negTokenTarg
I have done so, but gss_init_sec_context fails giving the reason
GSS-API error Error initializing security context: Invalid token was
supplied
GSS-API error Error initializing security context: No error
Am I doing something wrong while responding again back to the
server ??
<snip>
do
{
OM_uint32 ret_flags1;
fprintf(stderr, "NEXT.............................3\n");
// first time call the wrapper function for spnego implementation
if (neg_state == 0)
{
printf ("executing spnego init\n");
gss_rc = gss_init_sec_context_spnego(&minor_status,
GSS_C_NO_CREDENTIAL,
&context_handle, serv_name, mech_type, GSS_C_MUTUAL_FLAG |
GSS_C_REPLAY_FLAG | GSS_C_DELEG_FLAG,
0, NULL, &input_token, NULL, &output_token, &ret_flags1, NULL);
neg_state = 1;
}
else
{
printf ("executing normal init\n");
gss_rc = gss_init_sec_context(&minor_status, GSS_C_NO_CREDENTIAL,
&context_handle, serv_name, mech_type, GSS_C_MUTUAL_FLAG |
GSS_C_REPLAY_FLAG | GSS_C_DELEG_FLAG,
0, NULL, &input_token, NULL, &output_token, &ret_flags1, NULL);
}
if (gss_rc != GSS_S_COMPLETE && gss_rc != GSS_S_CONTINUE_NEEDED)
{
display_status ("Error initializing security context", gss_rc,
minor_status);
goto cleanup;
}
cbv.bv_val = (char*)output_token.value;
cbv.bv_len = output_token.length;
retval = ldap_sasl_bind_s(ld, NULL, "GSS-SPNEGO", &cbv, NULL, NULL,
&sbv);
if (!(retval == LDAP_SASL_BIND_IN_PROGRESS || retval ==
LDAP_SUCCESS))
{
fprintf(stderr, "SASL Bind error:%s\n", ldap_err2string(retval));
goto cleanup;
}
if (sbv)
{
input_token.value = sbv->bv_val;
input_token.length = sbv->bv_len;
}
}while (gss_rc == GSS_S_CONTINUE_NEEDED);
</snip>
More information about the Kerberos
mailing list