Re : GSSAPI client on Windows

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re : GSSAPI client on Windows

SFBZH
"Douglas E. Engert" <[hidden email]> wrote:
>Try using the ethereal program on the clientto trace network activity.
>It might show what is goinhg on, including Kerberos traffic with the
>KDC.
The problem doesn't seem to be a network problem because I import the TGT & the service ticket in the local cache before starting the client. Anyway, I have tried to use ethereal.

If the TGT & the service ticket are in the local cache, no network activity is generated between pc35 & pc36 (not even a ARP request) by gss_init_sec_context.

If the TGT is in the local cache and not the server ticket, no network activity is generated between pc35 & pc36 by gss_init_sec_context.

both tests generate a major status of 524288 ("No context has been established") and a minor status of -2045022973. This minor status value is defined in gssapi_err_generic.h as G_VALIDATE_FAILED. If I send it to gss_display_status, the "readable text" string returned is "Unknown routine error (field = 27)". I don't know what it refers to. (In fact, I don't even know if it reports an unknown routine or an unknown error.)

The conclusion of these test is that my client program never use any distant ressource. The problem probably comes from the way I use the api, from the compiler configuration or from the local Kerberos configuration. It doesn't seem to come from the KDC nor from a network problem.

M
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Re : GSSAPI client on Windows

Douglas E. Engert


[hidden email] wrote:

> "Douglas E. Engert" <[hidden email]> wrote:
>
>>Try using the ethereal program on the clientto trace network activity.
>>It might show what is goinhg on, including Kerberos traffic with the
>>KDC.
>
> The problem doesn't seem to be a network problem because I import the TGT & the service ticket in the local cache before starting the client. Anyway, I have tried to use ethereal.
>

Not sure what you mean by "import the TGT & service ticket"
The gssapi libs will get a service ticket for you. You should use kinit
to get the TGT for the the user.

Make sure you are getting the correct gssapi32.dll and krb5_32.dll. Several other packages
may have provided versions.


> If the TGT & the service ticket are in the local cache, no network activity is generated between pc35 & pc36 (not even a ARP request) by gss_init_sec_context.
>
> If the TGT is in the local cache and not the server ticket, no network activity is generated between pc35 & pc36 by gss_init_sec_context.
>
> both tests generate a major status of 524288 ("No context has been established") and a minor status of -2045022973. This minor status value is defined in gssapi_err_generic.h as G_VALIDATE_FAILED. If I send it to gss_display_status, the "readable text" string returned is "Unknown routine error (field = 27)". I don't know what it refers to. (In fact, I don't even know if it reports an unknown routine or an unknown error.)
>
> The conclusion of these test is that my client program never use any distant ressource. The problem probably comes from the way I use the api, from the compiler configuration or from the local Kerberos configuration. It doesn't seem to come from the KDC nor from a network problem.
>
> M
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev