Correct way of using SPNEGO OID with MIT Kerberos

Greg Hudson ghudson at MIT.EDU
Mon Jan 27 17:33:47 EST 2014


(I removed krbdev from the CC list in this reply because this isn't
about the development of MIT krb5.  Please pick just one list when
sending mail.)

On 01/27/2014 01:01 PM, Arpit Srivastava wrote:
> However, when I use OID of SPNEGO by passing it as parameter to
> gss_init_sec_context() method, the library tries to acquire creds for all
> the mechanism available but fails to do so in all three attempts, perhaps
> for each mechanism (in spnego_mech.c). Call to gss_init_sec_context fails
> with minor status 100004.

I'm not sure why credential acquisition in the krb5 mech would work
directly but not through SPNEGO.  Unfortunately, the minor code is not
useful since it's just an entry in a mechglue map; you must pass it to
gss_display_status in the process which produced the code to find out
what it means.

> I can also not figure out how to give my preference for supported
> mechanisms.

gss_set_neg_mechs, as described in RFC 4178.


More information about the Kerberos mailing list