How to use GSS-API to add second credential

Wed Feb 16 08:45:52 EST 2005

Newman, Edward (IDS GNS) wrote:

> If I use "gss_mech_krb5" as the mechanism then I get an "unresolved
> external" link error on Windows platform.

gss_mech_krb5 is a constant internal to the library which points into
an array of oids.  I have found that applications should maintain their
own list of supported mechanism OIDs when a specific mechanism is desired:

static CONST gss_OID_desc
my_krb5_gss_oid_array[] = {
    /* this is the official, rfc-specified OID */
    {9, "\052\206\110\206\367\022\001\002\002"},
    /* this is the v2 assigned OID */
    {9, "\052\206\110\206\367\022\001\002\003"},
    /* these two are name type OID's */
    {10, "\052\206\110\206\367\022\001\002\002\001"},
    {10, "\052\206\110\206\367\022\001\002\002\002"},
    { 0, 0 }
};

static CONST gss_OID_desc * CONST gss_mech_krb5 = my_krb5_gss_oid_array+0;
static CONST gss_OID_desc * CONST gss_mech_krb5_v2 = 
my_krb5_gss_oid_array+1;
static CONST gss_OID_desc * CONST gss_nt_krb5_name = 
my_krb5_gss_oid_array+2;
static CONST gss_OID_desc * CONST gss_nt_krb5_principal = 
my_krb5_gss_oid_array+3;

> Looking at the gss-api code it looks like gss_add_cred tests for the two
> mechanisms - gss_mech_krb5 & gss_mech_krb5_old - explicitly. These do
> not appear to be exported through gssapi32.lib so cannot be resolved at
> link time. None of the other defined mechanisms appear to match the
> tested values.

the gss_mech_krb5 and gss_mech_krb5_old which are tested within 
gss_add_cred() are global variables internal to the library and will not 
result in linkage errors.  A linkage error will only occur if you 
attempt to reference these internal variables within the application 
linked to the gssapi32.dll.

Jeffrey Altman