GSSAPI Mechanism

Douglas E. Engert deengert at anl.gov
Wed Dec 9 16:48:47 EST 2009 


Shirish Rai wrote:
> I have a fairly basic question. I have written a client (on Solaris) that
> gets a service ticket from Microsoft Kerberos Server (Windows 2003). It then
> tries to establish a context with the service using GSSAPI. 
> 
>  
> 
> The program fails because it cannot find the service ticket in the
> credential cache. The reason it cannot find the ticket is because the
> target_name that I pass to gss_init_sec_context is parsed differently than
> the principal named that is retrieved from the cached. Specifically, the
> target name after it is parsed is set to type KRB5_NT_SRV_HST (1) and the
> service principal from the credential cache is parsed to type
> KRB5_NT_SRV_INST (3). This leads to the components in the principal to be
> different. For example if my principal name is:
> 
>  
> 
> http/service.domain.com at DOMAIN.COM

http is usually upper case, HTTP.

> 
>  
> 
> The target_name has three components:
> 
> http/service.DOMAIN.COM
> 
> host.DOMAIN.COM
> 
> <some binary value>
> 
>  
> 
> Whereas the principal from the cache has two components
> 
> http
> 
> service.DOMAIN.COM
> 
>  
> 
> Therefore the call to krb5_principal_compare fails from
> krb5int_cc_creds_match_request.
> 
>  

Sounds like you call to gss_import_name may be wrong.

Even though Kerberos principals used "service/fqdn at realm"
when calling gss_import_name, the string passed in would be
"service at fqdn" which gets mapped internally to service/fqdn at realm
where realm is determined by the krb5 libs.

> 
> It seems that the parsing of the target_name is dependent on the mechanism
> that I pass to gss_init_sec_context. I pass NULL which means the default
> krb5 mechanism is picked up. 
> 
>  
> 
> Can someone point out what I am missing here. 
> 
>  
> 
> Thank you. 
> 
>  
> 
> Shirish.
> 
>  
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list