GSSAPI security context integrity check

Greg Hudson ghudson at
Wed May 6 20:26:57 EDT 2020

On 5/6/20 1:18 PM, Alexandr Nedvedicky wrote:
> not sure if it is the right place to ask questions related to GSSAPI, will be
> glad for any useful pointers.

This is the right place, since it relates to the MIT krb5 GSS

> Customer switched to Solaris 11.4, which comes with kerberos
> 1.16.

Are there Solaris-specific modifications to this code, or is it
unmodified 1.16?

> two security contexts attempted to use integrity protection.

The two filenames had the same suffix (c523660).  If I understand
correctly, that is the pointer value of the krb5 GSS context object--so
both g_seqstate_init() calls were for the same context (which is
consistent with the initial sequence numbers being the same).  It would
be very interesting to know the stack traces of the two
g_seqstate_init() calls, although that might be difficult to collect
remotely.  Normally there should only be one g_seqstate_init() call for
a context, from kg_accept_krb5().

More information about the krbdev mailing list