gss_acquire_cred failing with no keytable entry found

Amritanshu amritanshu at gmail.com
Tue Nov 28 00:41:28 EST 2017 

Hello Kerberos!

I am trying to make a windows client authenticate with a Linux server in a
domain-joined scenario, I have created a service principal based on the
documentation provided as part of PBIS/gssapps and MSDN GSS/SSPI interop
documentation [0, 1]. Updated the relevant Keytab entry in
/etc/krb5.keytab. I am using krb5-1.15.2,
Then I am using the following code on server side to acquire_cred

static int server_acquire_creds(
    char *service_name,
    gss_cred_id_t *server_creds
    )
{
    int ret = 0;
    gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER;
    gss_name_t server_name = GSS_C_NO_NAME;
    OM_uint32 maj_stat = 0, min_stat = 0;

    name_buf.value = service_name;
    name_buf.length = strlen((char *)name_buf.value) + 1;
    maj_stat = gss_import_name(&min_stat, &name_buf,
                               (gss_OID) gss_nt_service_name, &server_name);
    if (maj_stat != GSS_S_COMPLETE) {
        display_status("importing name", maj_stat, min_stat);
        ret = -1;
        goto error;
    }


    maj_stat = gss_acquire_cred(&min_stat, server_name, 0,
                                GSS_C_NULL_OID_SET, GSS_C_ACCEPT,
                                server_creds, NULL, NULL); <<--- it fails
here
    if (maj_stat != GSS_S_COMPLETE) {
        display_status("acquiring credentials", maj_stat, min_stat);
        ret = -1;
        goto error;
    }

error:
    (void) gss_release_name(&min_stat, &server_name);

    return ret;
}

**The error I am running into**:

GSS-API error acquiring credentials: Unspecified GSS failure.  Minor code
may provide more information (851968, 851968, 0x000d0000)

GSS-API error acquiring credentials: No key table entry found matching gss\/
dell-vostro-155.domain.in/domain.in@ (39756033, 39756033, 0x025ea101)
The service_name passed is "gss/dell-vostro-155.domain.in at domain.in".

I downloaded and compiled the bits set up traces and breakpoints in libgss
bits while stepping through I found in krb5_gss_acquire_cred_from I see the
name that is passed is invalid and the gssalloc fails because it is asked
to allocate a very large amount of memory.



I do see the principal in ktutil/list
ktutil: list -e
...
114    2 gss/dell-vostro-155.domain.in at domain.in (des-cbc-crc)
Also,
~/work/gss$ hostname -A
dell-vostro-155.domain.in

This is happening on the server end, where it is going to do a gss_ASC,
command used to run the application is.

sudo ./gss-server gss/dell-vostro-155.domain.in at domain.in

so gss-server is acting as the "gss" part in the principal name.


Mostly looking for advice on how to go about debugging this.
TIA

[0]
https://github.com/josephholsten/pbis/tree/master/gssapps/proxy/sspi-sample
[1]
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380496(v=vs.85).aspx
[2] https://pastebin.com/AVjkLsJY

More information about the Kerberos mailing list