[36566] in Kerberos
RE: gss_init_sec_context with delegated_cred_handle error
daemon@ATHENA.MIT.EDU (Xie, Hugh)
Thu Oct 23 11:58:38 2014
Date: Thu, 23 Oct 2014 15:58:23 +0000
From: "Xie, Hugh" <hugh.xie@bankofamerica.com>
To: "<kerberos@mit.edu>" <Kerberos@mit.edu>
Message-id: <7E270C3427928E499F189C5636C52CDC45BD38FA@smtp_mail.bankofamerica.com>
MIME-version: 1.0
Content-language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
The mailing server mess up the string of the principal into email
Here is uppercase principal "USERID @ MY.DOMAIN.COM" and the lower case principal is "userid @ my.domain.com"
From: Xie, Hugh
Sent: Thursday, October 23, 2014 11:39 AM
To: <kerberos@mit.edu>
Subject: gss_init_sec_context with delegated_cred_handle error
Hi,
When I pass GSS_C_NO_CREDENTIAL as cred_handle to gss_init_sec_context(), I got no error. But when I pass delegated_cred_handle (output from gss_accept_sec_context) as cred_handle to gss_init_sec_context(), I got 'Matching credential not found' error. It seems that when passing delegated_cred_handle gss_init_sec_context care about ticket cache. In my case the default principal in the ticket cache was upper case USERID@MY.DOMAIN.COM<mailto:USERID@MY.DOMAIN.COM>. Currently, I can remedy the situation by running a 'kinit userid@MY.DOMAIN.COM<mailto:userid@MY.DOMAIN.COM> -t -v $KRB5_KTNAME' to create a lower case default principal userid@MY.DOMAIN.COM<mailto:userid@MY.DOMAIN.COM>.
I have two questions:
1. Why gss_init_sec_context care about ticket cache default principal when using delegated_cred_handle? Why it works when I am not delegating?
2. Is there a better approach to remedy this problem other than kinit since the ticket cache could expire overtime, I am running a web service that could stop working if it expires? Is there a code based solution?
I am using krb5 version 1.11.5
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos