MS KRB5 vs KRB 5 GSS API/SPNEGO question

Prakash Narayanaswamy prakash at nutanix.com
Fri Sep 26 15:28:15 EDT 2014


Hello,

We're using MIT Kerberos v5-1.10.3 . Occasionally we're seeing
authentication failures. The gss_display_status call on the minor status
code returned by the gss_accept_sec_context (major status == GSS_S_FAILURE)
gives the following error message: *Cannot create replay cache file
/var/tmp/host_1000: File exists. *

Why does this happen? The problem, however, does seems to resolve itself.

Prakash

Prakash N | 408 771 4273


On Tue, Feb 4, 2014 at 11:15 AM, Prakash Narayanaswamy <prakash at nutanix.com>
wrote:

> Greg, the patch that you gave us fixed the issue. Thanks for the prompt
> debugging and a quick patch.
>
>
> Prakash
>
>
>
>
> On Mon, Feb 3, 2014 at 6:53 PM, Prakash Narayanaswamy <prakash at nutanix.com
> > wrote:
>
>> Thanks a lot, Greg. We'll take the patch, apply it, test it and get back
>> to you. Thanks again.
>>
>> Prakash
>>
>> Prakash N | 408 771 4273
>>
>>
>>
>> On Mon, Feb 3, 2014 at 6:31 PM, Greg Hudson <ghudson at mit.edu> wrote:
>>
>>> On 02/03/2014 02:26 PM, Prakash Narayanaswamy wrote:
>>> > Hello, We are trying to get a service (a SMB server) running on Linux
>>> > kerberized using the GSS API. During the negotiation (SPNEGO), the
>>> Windows
>>> > SMB client specifies MS KRB5 (1.2.840.48018.1.2.2) as the preferred
>>> > mechanism and supplies the initial token. The gss_accept_sec_context
>>> method
>>> > on the server accepts the token and generates a *NegTokenResp*,
>>> setting the
>>> > *negState* to *"accept-completed"* and *supportedMech* to *KRB5
>>> > (1.2.840.113554.1.2.2)* among other things.
>>> [...]
>>> > The question now is this: Is there a better way of doing this? Are we
>>> > missing something here?
>>>
>>> Nope, it's just a bug.  I apparently introduced it in 1.10 when fixing
>>> another issue.  Thanks for investing it in enough detail to make it easy
>>> to find the mistake.
>>>
>>> Here is a candidate fix, which should make its way into master and
>>> 1.12.2:
>>>
>>>   https://github.com/greghudson/krb5/commits/spnegofix
>>>
>>> Here is the bug-tracker entry I filed:
>>>
>>>   http://krbdev.mit.edu/rt/Ticket/Display.html?id=7858
>>>
>>
>>
>


More information about the Kerberos mailing list