GSSAPI client on Windows

Douglas E. Engert deengert at anl.gov
Tue Aug 2 13:54:00 EDT 2005 

Windows 98?! Better do what Jeff suggests. There may be issues
with how the Kerberos lib uses DNS from Windows 98. But I would bet
your problem is in not using gss_import_name.


SFBZH at aol.com wrote:

> Fri Jul 8 11:14:16 EDT 2005
> Douglas E. Engert wrote:
> 
>>I agree with Jeff on this. Dont try and get a service ticket first. It
>>will just cause problems. And as you have said it failes either way, so
>>that is not the problem it does not get this far. But when you get the
>>real problem fixed, you want to use the gssapi as it was desiged to get
>>the ticket for you.
>>[...]
>>Still looks like a network/DNS problem to me.
>>[...]
>>Fix you network. Try nslookup on these names, and the
>>reverse lookups of the ip numbers.
> 
> 
> Hello,
> I've been a bit busy these days but here I am, back with my problem.
> 
> I have fixed my network: I have a DNS service.
> On pc36, I can do:
> nslookup pc35
> nslookup pc36
> nslookup pc35.domain.com
> nslookup pc36.domain.com
> nslookup 192.168.0.35
> nslookup 192.168.0.36
> Everything work fine.
> 
> The pc35 is a Win 98 workstation. nslookup is not supported. I have downloaded a program called nslook (port of nslookup on win32). All the test described above work fine.
> 
> Let's get back on my kerberos client.
> pc36 : red hat station supporting the kerberos server.
> pc35 : win98 station supporting my kerberos client developped with GSSAPI.
> user name : user at DOMAIN.COM
> service name : server at pc36.DOMAIN.COM
> 
> I launch kinit to get the TGT for the user and initiate the cache. Then I launch my client. The client is supposed to launch gss_acquire_cred as user at DOMAIN.COM and ask credentials with gss_init_sec_context for server at pc36.DOMAIN.COM.
> 
> gss_acquire_cred works fine.
> 
> gss_init_sec_context fails:
> min_status: -2045022973
>   gss_display_status : Unknown routine error (field = 27)
>   gssapi_err_generic.h : G_VALIDATE_FAILED
>   Validation error
> maj_status: 50462720
>   gss_display_status : A parameter was malformed
> 
> The call is as following:
> majs = gss_init_sec_context(&mins, cred_handle, &context_handle,
>     server_name, GSS_C_NULL_OID, GSS_C_MUTUAL_FLAG |GSS_C_DELEG_FLAG,
>     GSS_C_INDEFINITE, NULL, GSS_C_NO_BUFFER, NULL, tocken, NULL, NULL);
> 
> cred_handle is the result of gss_acquire_cred which return min_status and maj_status at 0. I assume it has a correct value.
> server_name is a name_buffer containing "server at pc36.DOMAIN.COM".

What is a name_buffer? Did you create this name_buffer by using
gss_import_name?  that takes a gss_buffer_t with a string, and
converts it to a gss_name_t.

> tocken is a name_buffer initialized with GSS_C_NO_BUFFER.

Sould be a gss_buffer_t.

> mins, majs and context_handle are not initialized.
> 
> To conclude, I have fixed my network but the problem remains.
> 
> M
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list