Problem with SPNEGO on Solaris 10 build 4

Markus Moeller huaraz at moeller.plus.com
Mon Jul 21 17:05:52 EDT 2008 

I use build 4 and in general it works fine. I have now compiled the 
gss-sample test client and server on Opensolaris and Solaris 10 build 4.

On OpenSolaris I get:

client:
 ./gss-client -port 11000 -mech 1.3.6.1.5.5.2 opensolaris.solaris.home HTTP 
test
Sending init_sec_context token (size=606)...continue needed...

context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
"markus at SOLARIS.HOME" to "HTTP/opensolaris.solaris.home at SOLARIS.HOME", 
lifetime 35860, flags 136, locally initiated, open
Name type of source name is { 1 2 840 113554 1 2 2 1 }.
Mechanism { 1 3 6 1 5 5 2 } supports 4 names
  0: { 1 2 840 113554 1 2 1 1 }
  1: { 1 2 840 113554 1 2 1 2 }
  2: { 1 2 840 113554 1 2 1 3 }
  3: { 1 3 6 1 5 6 2 }
Signature verified.

server:
context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
Accepted connection: "markus at SOLARIS.HOME"
Received message: "test"
NOOP token


whereas on Solaris 10 I get:

client:
./gss-client -port 11000  -mech 1.3.6.1.5.5.2  solaris10 HTTP Test
Sending init_sec_context token (size=581)...continue needed...reading token 
flags: 0 bytes read

server:
./gss-server -port 11000 HTTP
GSS-API error accepting context: No credentials were supplied, or the 
credentials were unavailable or inaccessible
GSS-API error accepting context: No error

So it looks to me like a bug in Solaris 10.

Markus


"Douglas E. Engert" <deengert at anl.gov> wrote in message 
news:4884B822.8030504 at anl.gov...
>
>
> Markus Moeller wrote:
>>  I tried to use my squid_kerb_auth on Solaris 10 and fail. My configure
>> determines it supports SPNEGO but when I use it I get
>>
>> 2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No
>> credentials were supplied, or the credentials were unavailable or
>> inaccessible. No error
>> BH gss_accept_sec_context() failed: No credentials were supplied, or the
>> credentials were unavailable or inaccessible. No error
>> 2008/07/20 16:11:37| squid_kerb_auth: User not authenticated
>>
>> To test it I did a kinit as a user and run squid_kerb_auth_test which
>> creates a base64 encoded token.
>> ./squid_kerb_auth_test testserver.solaris.home
>> Token: YIICPAYGKwYBBQUCoIICMDCCAiygDTALBg......
>>
>> I use then the token as input to squid_kerb_auth
>>
>> ./squid_kerb_auth -i -d  <<!
>>> YIICPAYGKwYBBQUCoIICMDCCAiygDTALBgkqh...
>>> !
>>
>> 2008/07/20 16:11:36| squid_kerb_auth: Starting version 1.0.1
>> 2008/07/20 16:11:36| squid_kerb_auth: Got 'YR YIICPAYGKwYBBQUCoII.... 
>> from
>> squid (length: 771).
>> 2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No
>> credentials were supplied, or the credentials were unavailable or
>> inaccessible. No error
>> BH gss_accept_sec_context() failed: No credentials were supplied, or the
>> credentials were unavailable or inaccessible. No error
>> 2008/07/20 16:11:37| squid_kerb_auth: User not authenticated
>>
>>
>> When I do the same on any other platform (including Opensolaris) it works
>> fine. Also when I configure squid_kerb_auth without -DHAVE_SPNEGO it 
>> works
>> fine e.g. I get:
>>
>> 2008/07/20 16:11:07| squid_kerb_auth: Starting version 1.0.1
>> 2008/07/20 16:11:07| squid_kerb_auth: Got 'YR YIICEQYJKoZIhvcSAQICAQB....
>> from squid (length: 715).
>> 2008/07/20 16:11:07| squid_kerb_auth: parseNegTokenInit failed with 
>> rc=102
>> 2008/07/20 16:11:07| squid_kerb_auth: Token is possibly a GSSAPI token
>> AF AA== markus at SOLARIS.HOME
>> 2008/07/20 16:11:07| squid_kerb_auth: AF AA== markus at SOLARIS.HOME
>> 2008/07/20 16:11:07| squid_kerb_auth: User markus at SOLARIS.HOME 
>> authenticated
>>
>>
>> Is this a know problem with Solaris 10 or must I specify the right 
>> mechanism
>> ?
>>
>
> I had some problems with mod_auth_kerb with SPNEGO on Solaris 10, bit 
> mostly
> with storing delegate credentials.
> http://opensolaris.org/jive/thread.jspa?threadID=59270&tstart=0
>
> It might have to do with what maintenance level you are at.
> Over the life of Solaris 10, Sun has made quite a few changes, including
> adding the Kerberos header files.  ldd might also show something.
>
>>
>> Thank you
>> Markus
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> -- 
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list