GSSAPI security context integrity check
Greg Hudson
ghudson at mit.edu
Wed May 6 20:26:57 EDT 2020
On 5/6/20 1:18 PM, Alexandr Nedvedicky wrote:
> not sure if it is the right place to ask questions related to GSSAPI, will be
> glad for any useful pointers.
This is the right place, since it relates to the MIT krb5 GSS
implementation.
> Customer switched to Solaris 11.4, which comes with kerberos
> 1.16.
Are there Solaris-specific modifications to this code, or is it
unmodified 1.16?
> two security contexts attempted to use integrity protection.
The two filenames had the same suffix (c523660). If I understand
correctly, that is the pointer value of the krb5 GSS context object--so
both g_seqstate_init() calls were for the same context (which is
consistent with the initial sequence numbers being the same). It would
be very interesting to know the stack traces of the two
g_seqstate_init() calls, although that might be difficult to collect
remotely. Normally there should only be one g_seqstate_init() call for
a context, from kg_accept_krb5().
More information about the krbdev
mailing list