[7079] in Kerberos
Re: Problems running gss-server example as non-root
daemon@ATHENA.MIT.EDU (Scott Weitzenkamp)
Sat Apr 13 02:56:31 1996
To: kerberos@MIT.EDU
Date: Sat, 13 Apr 1996 05:30:40 GMT
From: scott@talarian.com (Scott Weitzenkamp)
In article <ublok1ecj6.fsf@strobe.weeg.uiowa.edu>,
Ed Hill <edhill@strobe.weeg.uiowa.edu> wrote:
>Hello,
>
>I am trying to run the gss-server example that comes with the Kerberos 5b5
>distribution as a user other then root and am having problems. It runs fine
>when the server is running as root (it doesn't matter who runs the client), but
>when I try to run it as any other user, I get the following error message when
>it calls the gss_accept_sec_context() function.
>
> GSS-API error accepting context: Miscellaneous failure
> GSS-API error accepting context: No error
>
>Doesn't reveal much. I have the /etc/v5srvtab's permissions set to 444 (which
>I don't want to do). Is there a way to specific that the gss-server program
>should use a different srvtab file then the system wide (I don't want all the
>service that run on a system to need to trust each other).
>
>Any ideas?
>
>-Ed Hill (ed-hill@uiowa.edu)
>Systems Administrator - Information Technology Services - University of Iowa
>"I am Homer of Borg, prepare to be assim... Ooooooooh donuts!"
I'll bet you have a file /var/tmp/rc_<service> which only root can
read/write. This file is a replay cache to help prevent replay
attacks. You have to rm this file when done with it, set its
permissions like you did with the v5srvtab file, or set the
KRB5RCACHEDIR env var.
I'll also bet every single new user (including me :-) of Kerberos hits
this! The GSS-API has some really horrible error messages (e.g.,
"Miscellanous failure" and "No error") which don't help to diagnose
the problem.
Hope this helps.
--
Thanks in advance...
Scott Weitzenkamp, Talarian Corporation, Mountain View, CA
scott@talarian.com (415) 965-8050
"Welcome to the late show, starring NULL and void" -- Men At Work
