[7110] in Kerberos
Re: Problems running gss-server example as non-root
daemon@ATHENA.MIT.EDU (Alain Lavoie)
Wed Apr 17 14:25:51 1996
To: kerberos@MIT.EDU
Date: Tue, 16 Apr 1996 13:55:42 GMT
From: Alain Lavoie <allavoie@qc.bell.ca>
Scott Weitzenkamp wrote:
>
> In article <ublok1ecj6.fsf@strobe.weeg.uiowa.edu>,
> Ed Hill <edhill@strobe.weeg.uiowa.edu> wrote:
> >Hello,
> >
> >I am trying to run the gss-server example that comes with the Kerberos 5b5
> >distribution as a user other then root and am having problems. It runs fine
> >when the server is running as root (it doesn't matter who runs the client), but
> >when I try to run it as any other user, I get the following error message when
> >it calls the gss_accept_sec_context() function.
> >
> > GSS-API error accepting context: Miscellaneous failure
> > GSS-API error accepting context: No error
> >
> >Doesn't reveal much. I have the /etc/v5srvtab's permissions set to 444 (which
> >I don't want to do). Is there a way to specific that the gss-server program
> >should use a different srvtab file then the system wide (I don't want all the
> >service that run on a system to need to trust each other).
> >
> >Any ideas?
> >
> >-Ed Hill (ed-hill@uiowa.edu)
> >Systems Administrator - Information Technology Services - University of Iowa
> >"I am Homer of Borg, prepare to be assim... Ooooooooh donuts!"
>
> I'll bet you have a file /var/tmp/rc_<service> which only root can
> read/write. This file is a replay cache to help prevent replay
> attacks. You have to rm this file when done with it, set its
> permissions like you did with the v5srvtab file, or set the
> KRB5RCACHEDIR env var.
>
> I'll also bet every single new user (including me :-) of Kerberos hits
> this! The GSS-API has some really horrible error messages (e.g.,
> "Miscellanous failure" and "No error") which don't help to diagnose
> the problem.
>
You might also want to play with the communication flags provided in the
gss_init_sec_context(). My understanding was that by not selecting
GSS_C_REPLAY_FLAG and GSS_C_SEQUENCE_FLAG, my gss-server would not create
the file /var/tmp/rc_<service>; but it tried to create it anyway ?
This is a nice experience to try if you are using a commercial Gss-api
implementation and wants to avoid any user to come up with this problem.
For my part, I discovered the /var/tmp/rc_<service> file by running my
gss-server with the 'truss' utility (Under Solaris 2.4). This small
utility could of let you find the source of the problem. Better chance
next time.
Mail other questions if needed.
Alain.
> Hope this helps.
> --
> Thanks in advance...
> Scott Weitzenkamp, Talarian Corporation, Mountain View, CA
> scott@talarian.com (415) 965-8050
> "Welcome to the late show, starring NULL and void" -- Men At Work
--
============================================================================
Alain Lavoie allavoie@qc.bell.ca
Consultant (514) 870-6493 VOICE
Bell Sygma Telecom Solutions (514) 870-3004 FAX
25N1-700 de la Gauchetiere ouest
Montreal(Que.) H3B 4L1
Canada
============================================================================
