[7081] in Kerberos
DCE/Kerberos GSSAPI interoperability
daemon@ATHENA.MIT.EDU (Alex Ranous)
Sat Apr 13 11:29:29 1996
To: kerberos@MIT.EDU
Date: 12 Apr 1996 19:06:14 GMT
From: ranous@cup.hp.com (Alex Ranous)
I'm trying to get the MIT Kerberos V beta 5 GSSAPI to interoperate with
the HP DCE 1.4 (Based on OSF DCE 1.1) GSSAPI implementation and was having
some problems with gss_sign/gss_verify. I have applied the ANL patches to
the MIT Kerberos, and can use it successfully with other apps using the
secd as the KDC.
My Kerberos client can successfully call gss_init_sec_context(), obtain a
token, send it to the DCE based server, which can successfully call
gss_accept_sec_context() and gss_display_name() to get the principal of
the caller. The return token is passed back to the client, which uses it
to call gss_init_sec_context() again and finish the context with no
problem. So it seems that I can successfully authenticate between the two.
My problem is with gss_sign(). Data signed with either the DCE or MIT
GSSAPI cannot be verified by the other. A DCE GSSAPI client to a DCE
server does work. Here is what I get for error messages from the DCE
gss_verify():
Major: The token was invalid.
Minor: The token sequence number field in the token was invalid.
The Kerberos client gss_verify() gets the following from a DCE signature:
Major: A token had an invalid signature
Minor: No error
Is anyone aware of any problems with MIT/DCE interoperability of GSSAPI?
Any successfully using them, especially sign/verify? Any pointers would
be very helpful.
Alex
