GSSAPI client on Windows

Jeffrey Altman jaltman at columbia.edu
Fri Jul 8 08:29:26 EDT 2005 

SFBZH at aol.com wrote:

> I know that the gssapi should get the service ticket itself but I have a good reason to do that. (well, I think so)
> If the service ticket has not been previously imported, when gss_init_sec_context fails, the problem may come from the KDC, the network, the local krbcc32s, the local network configuration, the gssapi call...
> If the service ticket is already in the local cache, the problem is much more localised. Everything take place on the Windows station (pc35). The elements I have to check are my call to the gssapi, my kerberos local installation and my kerberos local configuration. (Incremental debugging :p ) It seems that the client program (gssapi) doesn't interact properly or doesn't interact at all with the local cache manager (krbcc32s) but I don't know how to check it. Is there a local cache configuration file? How does the gssapi find the local cache? How does it find out which mechanism to use? (krb4, krb5...)

Unfortunately, by doing so you are removing your best opportunity to
diagnose where there problem actually lies.   As you describe it, how
would you know if the gssapi32.dll library was in fact unable to talk
with the ccache?  One way of knowing that it does is by letting it
obtain the ticket for you.



> I fell my krb5.ini is weak. Is this correct? I've got nothing more than that:
> [libdefaults]
>     default_domain = domain.com
>     default_realm = DOMAIN.COM
> 
> [realms]
>     DOMAIN.COM = {
>         admin_server = pc36:750
>         kdc = 192.168.0.36:88
>     }

There should be no need to specify the default ports and you should use
fully qualified domain names for the host entries.   Other than that
there is nothing wrong here.

The most likely point of failure is DNS.  If you are using IP addresses
because you don't have a working DNS for your private subnet, that is
where you must look first.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3256 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050708/3df5e338/attachment.bin

More information about the krbdev mailing list