krb5 acceptor credentials

Greg Hudson ghudson at MIT.EDU
Mon Aug 26 10:49:52 EDT 2013

On 08/26/2013 10:24 AM, letz.yaara wrote:
> GSSAPI Major error: 'Unspecified GSS failure.  Minor code may provide more information' (code: 0xD0000)
> GSSAPI Minor error: '' (code: 0x186A4) 
> Does anyone have an idea what this mechanism code is about?

Unfortunately, this minor code (10004) is generated by the mechglue, and
doesn't have the same meaning every time.

In another message, you implied that you are using SPNEGO.  There was a
bug in the SPNEGO mech before 1.11 where it obscures the minor code of
the actual mechanism, which is probably what's going on here.

> LOG_ERR( "GSSAPI %s error: '%s' (code: 0x%X)", ( status_type ==
> GSS_C_GSS_CODE ) ? "Major" : "Minor", static_cast<char
> *>(status_str.value), status_code);

This is technically incorrect; the mechanism is not required to yield a
zero-terminated C string in status_str.value.  When printing status
strings with gss_display_status, you should use a format string of
"%.*s" and arguments of "(int)status_str.length, status_str.value".

But it's not your practical issue.

>     krb5 acceptor credentials are always indefinitely valid.  krb5 initiator
>     credentials are not; there is always an expiry time on the TGT, although
>     it may be a long time.
> I'm not sure I understand the acceptors credentials part - what kind of
> tickets does the acceptor (which is an SPN in the active directory) has?
> Is it only credentials that it has?

Only Kerberos initiators need to get tickets; acceptors do not.
Kerberos acceptors use the keytab directly to verify incoming messages.

More information about the krbdev mailing list