GSSAPI client on Windows
Douglas E. Engert
deengert at anl.gov
Thu Jul 7 10:36:01 EDT 2005
SFBZH at aol.com wrote:
> "Douglas E. Engert" <deengert at anl.gov> wrote:
>>Try using the ethereal program on the clientto trace network activity.
>>It might show what is goinhg on, including Kerberos traffic with the
> The problem doesn't seem to be a network problem because I import the TGT & the service ticket in the local cache before starting the client. Anyway, I have tried to use ethereal.
Not sure what you mean by "import the TGT & service ticket"
The gssapi libs will get a service ticket for you. You should use kinit
to get the TGT for the the user.
Make sure you are getting the correct gssapi32.dll and krb5_32.dll. Several other packages
may have provided versions.
> If the TGT & the service ticket are in the local cache, no network activity is generated between pc35 & pc36 (not even a ARP request) by gss_init_sec_context.
> If the TGT is in the local cache and not the server ticket, no network activity is generated between pc35 & pc36 by gss_init_sec_context.
> both tests generate a major status of 524288 ("No context has been established") and a minor status of -2045022973. This minor status value is defined in gssapi_err_generic.h as G_VALIDATE_FAILED. If I send it to gss_display_status, the "readable text" string returned is "Unknown routine error (field = 27)". I don't know what it refers to. (In fact, I don't even know if it reports an unknown routine or an unknown error.)
> The conclusion of these test is that my client program never use any distant ressource. The problem probably comes from the way I use the api, from the compiler configuration or from the local Kerberos configuration. It doesn't seem to come from the KDC nor from a network problem.
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev