Correct way of using SPNEGO OID with MIT Kerberos
arpit.orb
arpit.orb at gmail.com
Wed Jan 29 23:02:02 EST 2014
Thanks Greg..I figured out the problem.
I was not calling gss_acquire_cred beforr calling gss_init_sec_context. As client cred, I was simply passing NO CREDENTIALS.
So, it is important to call acquire_cred api for client credential handle and then use that in context establishment.
Arpit
-------- Original message --------
From: Greg Hudson <ghudson at MIT.EDU>
Date:28/01/2014 4:03 AM (GMT+05:30)
To: Arpit Srivastava <arpit.orb at gmail.com>,kerberos <kerberos at mit.edu>
Subject: Re: Correct way of using SPNEGO OID with MIT Kerberos
(I removed krbdev from the CC list in this reply because this isn't
about the development of MIT krb5. Please pick just one list when
sending mail.)
On 01/27/2014 01:01 PM, Arpit Srivastava wrote:
> However, when I use OID of SPNEGO by passing it as parameter to
> gss_init_sec_context() method, the library tries to acquire creds for all
> the mechanism available but fails to do so in all three attempts, perhaps
> for each mechanism (in spnego_mech.c). Call to gss_init_sec_context fails
> with minor status 100004.
I'm not sure why credential acquisition in the krb5 mech would work
directly but not through SPNEGO. Unfortunately, the minor code is not
useful since it's just an entry in a mechglue map; you must pass it to
gss_display_status in the process which produced the code to find out
what it means.
> I can also not figure out how to give my preference for supported
> mechanisms.
gss_set_neg_mechs, as described in RFC 4178.
More information about the Kerberos
mailing list