AcceptSecurityContext (SSPI) fails with SEC_E_LOGON_DENIED and a GSS-API Linux client
Matthew M. DeLoera
mdeloera at exacq.com
Wed Jun 24 12:02:37 EDT 2009
I apologize if this isn't appropriate for this list, but hopefully
someone will see something silly that I shouldn't do, or need to do!
I've searched but haven't seemed to find the answer I need.
I'm running MIT KRB5 (krb5-kdc, kadmin) on an Ubuntu box, and using it
for my kdc and my test client. I'm running Windows XP SP2 (DNS name
deloera.exacqlinux.org) for my test server.
I created 2 Windows users - kerbsvr (pw 54321) and kerbclt (pw 12345) -
and configured XP to authenticate to my KDC with Microsoft's ksetup:
ksetup /setrealm EXACQLINUX.ORG
ksetup /addkdc EXACQLINUX.ORG kdc.exacqlinux.org
ksetup /setcomputerpassword machpw
ksetup /addkpasswd kdc.exacqlinux.org kdc.exacqlinux.org
ksetup /mapuser kerbsvr at EXACQLINUX.ORG kerbsvr
ksetup /mapuser kerbclt at EXACQLINUX.ORG kerbclt
I added kdc.exacqlinux.org to my Windows hosts file.
I created kerbsvr at EXACQLINUX.ORG (pw ks1234), kerbclt at EXACQLINUX.ORG (pw
kc1234), and host/deloera.exacqlinux.org at EXACQLINUX.ORG (pw machpw) on
the kdc. The 2 user passwords are intentionally different between
Windows and the kdc to prove things to myself. I added
deloera.exacqlinux.org to the kdc's /etc/hosts.
I rebooted XP and successfully logged in with kerbsvr/ks1234 to my
EXACQLINUX.ORG realm (in the dropdown). I traced in Linux with
Wireshark. The kdc rejects the first AS-REQ with
KRB5KDC_ERR_PREAUTH_REQUIRED, a second AS-REQ/AS-REP with preauth
material succeeds, and then there's a successful TGS-REQ/TGS-REP.
Everything looks nominally good from the kdc's end. In WireShark, I see
the expected kerbsvr and host/deloera.exacqlinux.org principals.
- Start my test server in Windows (AcquireCredentialsHandle with NULL,
to use cached credentials).
- In Linux, I successfully kinit kerbclt at EXACQLINUX.ORG then start my
test client and WireShark. The client successfully calls gss_import_name
with kerbclt at EXACQLINUX.ORG and gss_acquire_cred.
- The client successfully calls gss_import_name with
host at deloera.exacqlinux.org and then gss_init_sec_context, and sends the
token to my test server.
- The server calls AcceptSecurityContext with the token, and fails with
Any suggestions? Since I was able to log into Windows as kerbsvr, then
I'd think Windows and my kdc must be configured correctly. I
successfully kinit'd on Linux, so the principals should all be fine.
I apologize if this is more of an SSPI question, but I was hoping some
of you have done some interoperability testing and perhaps have
encountered this same situation.
- Matthew DeLoera
More information about the krbdev