krb5 acceptor credentials

letz.yaara letz.yaara at gmail.com
Mon Aug 26 17:50:04 EDT 2013 

Ya'ara Letz


On 26 August 2013 15:49, Greg Hudson <ghudson at mit.edu> wrote:

> On 08/26/2013 10:24 AM, letz.yaara wrote:
> > GSSAPI Major error: 'Unspecified GSS failure.  Minor code may provide
> more information' (code: 0xD0000)
> > GSSAPI Minor error: '' (code: 0x186A4)
> >
> > Does anyone have an idea what this mechanism code is about?
>
> Unfortunately, this minor code (10004) is generated by the mechglue, and
> doesn't have the same meaning every time.
>
> In another message, you implied that you are using SPNEGO.  There was a
> bug in the SPNEGO mech before 1.11 where it obscures the minor code of
> the actual mechanism, which is probably what's going on here.
>

Will check if I can upgrade to the latest, but basically my problem is when
the linux clock is not in sync with the Active directory that generated the
keytab file then the process calling gas_acquire_cred fails and I don't get
a proper error message of CLOCK_SKEW. Is this also part of an older version
(1.10.1)

>
> > LOG_ERR( "GSSAPI %s error: '%s' (code: 0x%X)", ( status_type ==
> > GSS_C_GSS_CODE ) ? "Major" : "Minor", static_cast<char
> > *>(status_str.value), status_code);
>
> This is technically incorrect; the mechanism is not required to yield a
> zero-terminated C string in status_str.value.  When printing status
> strings with gss_display_status, you should use a format string of
> "%.*s" and arguments of "(int)status_str.length, status_str.value".
>
> But it's not your practical issue.
>

Thank you for pointing that out.

>
> >     krb5 acceptor credentials are always indefinitely valid.  krb5
> initiator
> >     credentials are not; there is always an expiry time on the TGT,
> although
> >     it may be a long time.
> >
> > I'm not sure I understand the acceptors credentials part - what kind of
> > tickets does the acceptor (which is an SPN in the active directory) has?
> > Is it only credentials that it has?
>
> Only Kerberos initiators need to get tickets; acceptors do not.
> Kerberos acceptors use the keytab directly to verify incoming messages.
>
> If so, when do I get GSS_S_CREDENTIALS_EXPIRED returned by gss_accept_sec_context?
( Maybe if the user has 30 day password expiration set up ? )

More information about the krbdev mailing list