gss_init_sec_context with delegated_cred_handle error

Xie, Hugh hugh.xie at bankofamerica.com
Mon Oct 27 08:55:11 EDT 2014 

I think the delegated_cred_handle output from gss_accept_sec_context, has principal in lower case. When delegated_cred_handle passed to gss_init_sec_context the default principal of the krbtgt is in upper case causing the "Matching credential not found" error. Can I report this as a bug?



-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Xie, Hugh
Sent: Thursday, October 23, 2014 11:39 AM
To: <kerberos at mit.edu>
Subject: gss_init_sec_context with delegated_cred_handle error

Hi,

When I pass GSS_C_NO_CREDENTIAL as cred_handle to gss_init_sec_context(), I got no error. But when I pass delegated_cred_handle (output from gss_accept_sec_context) as cred_handle to gss_init_sec_context(), I got 'Matching credential not found' error. It seems that when passing delegated_cred_handle gss_init_sec_context care about ticket cache. In my case the default principal in the ticket cache was upper case USERID at MY.DOMAIN.COM. Currently, I can remedy the situation by running a 'kinit userid at MY.DOMAIN.COM<mailto:userid at MY.DOMAIN.COM> -t -v $KRB5_KTNAME' to create a lower case default principal userid at MY.DOMAIN.COM<mailto:userid at MY.DOMAIN.COM>.

I have two questions:

1.      Why gss_init_sec_context care about ticket cache default principal when using delegated_cred_handle? Why it works when I am not delegating?

2.      Is there a better approach to remedy this problem other than kinit since the ticket cache could expire overtime, I am running a web service that could stop working if it expires? Is there a code based solution?

I am using krb5 version 1.11.5

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.

More information about the Kerberos mailing list