Skip Menu |
 

Date: Tue, 07 Mar 2006 19:56:37 -0800
From: Valerie Peng <Yu-Ching.Peng@Sun.COM>
Subject: Cannot acquire initiator cred using gss_acquire_cred with explicit name on Windows
To: krb5-bugs@mit.edu
Cc: jaltman@gmail.com
Download (untitled) / with headers
text/plain 1.2KiB
I downloaded kfw-3.0.0-final and unzipp'ed it under my personal
directory.

I have an app which will load the gssapi32.dll and dynamically
invoke various gss functions. So far things work fine except
this one problem with gss_acquire_cred that looks like a bug
in the MIT kerberos impl.

Here is what I tried:
=========================
major = gssIndicateMechs(&minor, &desired_mechs);
// gss_acquire_cred call#1
major = gssAcquireCred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
desired_mechs, GSS_C_INITIATE, &credHdl, NULL, NULL);

major = gssInquireCred(&minor, credHdl, &nameHdl, NULL, NULL, NULL);
// gss_acquire_cred call#2
major = gssAcquireCred(&minor, nameHdl, GSS_C_INDEFINITE,
desired_mechs, GSS_C_INITIATE, &credHdl, NULL, NULL);
...
major = gssImportName(&minor, &nameVal, nameType, &nameHdl);
// gss_acquire_cred call#3
major = gssAcquireCred(&minor, nameHdl, 0, desired_mechs,
GSS_C_ACCEPT, &credHdl2, NULL, NULL);
=========================

#1 and #3 of the above gss_acquire_cred(...) calls succeed
while #2 hangs.

I checked the major/minor status after each gss calls and did
not observe any problem up until call#2. If I commented out #2,
my app will run to its completion.

Please fix this...
Thanks,
Valerie
I need to correct my previous statement - actually, both 1 and 2
fails with the same error code and message, e.g. FAILURE "Matching
credential not found".

gss_acquire_cred() succeeds when I either uses GSS_C_NO_NAME or
the name handle which I got back as a result of gss_inquire_cred()
whose cred is acquired w/ GSS_C_NO_NAME.

Anyhow, here is the code snippet:

nameVal.value = "dummy"; //"dummy@JSN.SFBAY.SUN.COM";
nameVal.length = strlen(nameVal.value)+1;
nameType = GSS_C_NT_USER_NAME;
major = gss_import_name(&minor, &nameVal, nameType, &nameHdl);
displayStatus(header, "gss_import_name", major, minor, GSS_C_NO_OID);
fprintf(stdout,"[%s] IMPORTED NAME=%d\n", header, nameHdl);

major = gss_acquire_cred(&minor, nameHdl, GSS_C_INDEFINITE,
desired_mechs, GSS_C_INITIATE, &credHdl, NULL, NULL);
fprintf(stdout,"[%s] ACQUIRED INIT CRED USING SPECIFIED NAME\n",
header);
displayStatus(header, "client's gss_acquire_cred", major, minor, mech);

Thanks,
Valerie
Taking your code snippet I re-wrote it in C which I have attached to the
ticket. The output of the resulting program is as follows:

[C:\temp]gss_acquire_cred_test.exe jaltman

[C:\temp]gss_acquire_cred_test.exe foo
GSS-API error client's gss_acquire_cred: Miscellaneous failure
GSS-API error client's gss_acquire_cred: Matching credential not found

[C:\temp]gss_acquire_cred_test.exe jaltman@ATHENA.MIT.EDU

[C:\temp]gss_acquire_cred_test.exe jaltman@JPL.NASA.GOV

[C:\temp]gss_acquire_cred_test.exe jaltman@JPL.NASA.GO
GSS-API error client's gss_acquire_cred: Miscellaneous failure
GSS-API error client's gss_acquire_cred: Matching credential not found


I believe that you have a typo in your code because the length of the
name_val should not include the trailing NUL.

I can find no error in the current implementation of the gssapi library.

Jeffrey Altman
#include <gssapi.h>

#include <stdlib.h>
#include <stdio.h>

/*+
* Function: display_status
*
* Purpose: displays GSS-API messages
*
* Arguments:
*
* msg a string to be displayed with the message
* maj_stat the GSS-API major status code
* min_stat the GSS-API minor status code
*
* Effects:
*
* The GSS-API messages associated with maj_stat and min_stat are
* displayed on stderr, each preceeded by "GSS-API error <msg>: " and
* followed by a newline.
*/

static void
display_status_1(char *m, OM_uint32 code, int type) {
OM_uint32 maj_stat, min_stat;
gss_buffer_desc msg;
OM_uint32 msg_ctx;

msg_ctx = 0;
while (1) {
maj_stat = gss_display_status(&min_stat, code,
type, GSS_C_NULL_OID,
&msg_ctx, &msg);
printf("GSS-API error %s: %s\r\n", m,
(char *)msg.value);
(void) gss_release_buffer(&min_stat, &msg);

if (!msg_ctx)
break;
}
}

void
display_status (char *msg, OM_uint32 maj_stat, OM_uint32 min_stat) {
display_status_1(msg, maj_stat, GSS_C_GSS_CODE);
display_status_1(msg, min_stat, GSS_C_MECH_CODE);
}

void usage(char * app)
{
fprintf(stderr, "usage: %s principal-name\n",app);
}

int main(int argc, char *argv[])
{
gss_buffer_desc name_val;
gss_OID_set mech_names;
gss_name_t name_hdl;
OM_uint32 maj_stat;
OM_uint32 min_stat;
gss_name_t src_name, targ_name;
gss_buffer_desc sname, tname;
OM_uint32 lifetime;
gss_OID mechanism, name_type;
int is_local;
OM_uint32 context_flags;
int is_open;
gss_qop_t qop_state;
gss_buffer_desc oid_name;
size_t i;
int token_flags;
gss_cred_id_t cred_hdl;
gss_ctx_id_t context;

if ( argc < 2 ) {
usage(argv[0]);
return(1);
}

name_val.value = argv[1];
name_val.length = strlen(name_val.value);
name_type = GSS_C_NT_USER_NAME;

maj_stat = gss_import_name(&min_stat, &name_val, name_type, &name_hdl);
if (maj_stat != GSS_S_COMPLETE) {
display_status("gss_import_name", maj_stat, min_stat);
return -1;
}

maj_stat = gss_acquire_cred(&min_stat, name_hdl, GSS_C_INDEFINITE, NULL,
GSS_C_INITIATE, &cred_hdl, NULL, NULL);
if (maj_stat != GSS_S_COMPLETE) {
display_status("client's gss_acquire_cred", maj_stat, min_stat);
return -1;
}

return 0;
}


Date: Mon, 13 Mar 2006 15:49:43 -0800
From: Valerie Peng <Yu-Ching.Peng@Sun.COM>
Subject: Re: [krbdev.mit.edu #3502] Cannot acquire initiator cred using gss_acquire_cred with explicit name on Windows
To: rt-comment@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.1KiB
I corrected the length of name_val so that it uses strlen(..) which
should not include the trailing null, but the result is the same.

Maybe you could send me the src of your gss_acquire_cred_test
so I can compare and check.

Thanks!
Valerie

Jeffrey Altman via RT wrote:
Show quoted text
> Taking your code snippet I re-wrote it in C which I have attached to the
> ticket. The output of the resulting program is as follows:
>
> [C:\temp]gss_acquire_cred_test.exe jaltman
>
> [C:\temp]gss_acquire_cred_test.exe foo
> GSS-API error client's gss_acquire_cred: Miscellaneous failure
> GSS-API error client's gss_acquire_cred: Matching credential not found
>
> [C:\temp]gss_acquire_cred_test.exe jaltman@ATHENA.MIT.EDU
>
> [C:\temp]gss_acquire_cred_test.exe jaltman@JPL.NASA.GOV
>
> [C:\temp]gss_acquire_cred_test.exe jaltman@JPL.NASA.GO
> GSS-API error client's gss_acquire_cred: Miscellaneous failure
> GSS-API error client's gss_acquire_cred: Matching credential not found
>
>
> I believe that you have a typo in your code because the length of the
> name_val should not include the trailing NUL.
>
> I can find no error in the current implementation of the gssapi library.
>
> Jeffrey Altman
Date: Wed, 15 Mar 2006 16:01:37 -0800
From: Valerie Peng <Yu-Ching.Peng@Sun.COM>
Subject: Re: [krbdev.mit.edu #3502] Cannot acquire initiator cred using gss_acquire_cred with explicit name on Windows
To: rt-comment@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.5KiB
Please ignore my previous email. I am not sure what went wrong before,
but things are working for me now.

I only have one more question - when will your fix be available?
When will the next MIT KFW release (assuming it has your fix of
course) available for download?

Thanks!
Valerie

Valerie Peng wrote:
Show quoted text
> I corrected the length of name_val so that it uses strlen(..) which
> should not include the trailing null, but the result is the same.
>
> Maybe you could send me the src of your gss_acquire_cred_test
> so I can compare and check.
>
> Thanks!
> Valerie
>
> Jeffrey Altman via RT wrote:
>
>> Taking your code snippet I re-wrote it in C which I have attached to the
>> ticket. The output of the resulting program is as follows:
>>
>> [C:\temp]gss_acquire_cred_test.exe jaltman
>>
>> [C:\temp]gss_acquire_cred_test.exe foo
>> GSS-API error client's gss_acquire_cred: Miscellaneous failure
>> GSS-API error client's gss_acquire_cred: Matching credential not found
>>
>> [C:\temp]gss_acquire_cred_test.exe jaltman@ATHENA.MIT.EDU
>>
>> [C:\temp]gss_acquire_cred_test.exe jaltman@JPL.NASA.GOV
>>
>> [C:\temp]gss_acquire_cred_test.exe jaltman@JPL.NASA.GO
>> GSS-API error client's gss_acquire_cred: Miscellaneous failure
>> GSS-API error client's gss_acquire_cred: Matching credential not found
>>
>>
>> I believe that you have a typo in your code because the length of the
>> name_val should not include the trailing NUL.
>>
>> I can find no error in the current implementation of the gssapi library.
>>
>> Jeffrey Altman
>
>
>
The next version of KFW, version 3.1, will contain the fix. We do not
have a release date specified. If there is a specific date by which
you would like to have a public release, please send that information as
a request to krbcore@mit.edu.