GSSAPI client on Windows

SFBZH@aol.com SFBZH at aol.com
Tue Aug 2 12:51:03 EDT 2005 

Fri Jul 8 11:14:16 EDT 2005
Douglas E. Engert wrote:
>I agree with Jeff on this. Dont try and get a service ticket first. It
>will just cause problems. And as you have said it failes either way, so
>that is not the problem it does not get this far. But when you get the
>real problem fixed, you want to use the gssapi as it was desiged to get
>the ticket for you.
> [...]
>Still looks like a network/DNS problem to me.
> [...]
>Fix you network. Try nslookup on these names, and the
>reverse lookups of the ip numbers.

Hello,
I've been a bit busy these days but here I am, back with my problem.

I have fixed my network: I have a DNS service.
On pc36, I can do:
nslookup pc35
nslookup pc36
nslookup pc35.domain.com
nslookup pc36.domain.com
nslookup 192.168.0.35
nslookup 192.168.0.36
Everything work fine.

The pc35 is a Win 98 workstation. nslookup is not supported. I have downloaded a program called nslook (port of nslookup on win32). All the test described above work fine.

Let's get back on my kerberos client.
pc36 : red hat station supporting the kerberos server.
pc35 : win98 station supporting my kerberos client developped with GSSAPI.
user name : user at DOMAIN.COM
service name : server at pc36.DOMAIN.COM

I launch kinit to get the TGT for the user and initiate the cache. Then I launch my client. The client is supposed to launch gss_acquire_cred as user at DOMAIN.COM and ask credentials with gss_init_sec_context for server at pc36.DOMAIN.COM.

gss_acquire_cred works fine.

gss_init_sec_context fails:
min_status: -2045022973
  gss_display_status : Unknown routine error (field = 27)
  gssapi_err_generic.h : G_VALIDATE_FAILED
  Validation error
maj_status: 50462720
  gss_display_status : A parameter was malformed

The call is as following:
majs = gss_init_sec_context(&mins, cred_handle, &context_handle,
    server_name, GSS_C_NULL_OID, GSS_C_MUTUAL_FLAG |GSS_C_DELEG_FLAG,
    GSS_C_INDEFINITE, NULL, GSS_C_NO_BUFFER, NULL, tocken, NULL, NULL);

cred_handle is the result of gss_acquire_cred which return min_status and maj_status at 0. I assume it has a correct value.
server_name is a name_buffer containing "server at pc36.DOMAIN.COM".
tocken is a name_buffer initialized with GSS_C_NO_BUFFER.
mins, majs and context_handle are not initialized.

To conclude, I have fixed my network but the problem remains.

M

More information about the krbdev mailing list