[OpenAFS] gssklog

Nicolas Williams Nicolas.Williams@sun.com
Wed, 27 Aug 2003 08:29:37 -0700


On Wed, Aug 27, 2003 at 10:18:50AM -0500, Douglas E. Engert wrote:
> Jerome Walter wrote:
> > 
> > On Tue, Aug 26, 2003 at 02:20:04PM -0500, Douglas E. Engert wrote:
> > > Leave off the --enable-server and it should only build the client.
> > 
> > Ok, i  compiled it, and it works great ... on the server.
> > The client on the Solaris gives me the following error :
> > 
> > GSS-error acquiring credentials: major_status:00070000 minor_status:00000000
> > No credentials were supplied, or the credentials were unavailable or
> > inaccessible
> > mech_dh: Success
> > Unable to get user credentials
> 
> 
> See the responses from the Sun people yesterday. GSS is "generic" and there
> can be more then one mechanism. On the Sun it is trying the DH mech,
> as it is listed first in the /etc/gss/mech file.  

Note though that one can make sure that the "default" mechanism does not
cause this sort of problem.

Basically, you attempt GSS_Acquire_cred() a credential for all
mechanisms available (see GSS_Indicate_mechs()).  Then, on the initiator
side, pick one of the resulting credential's actual mechs to use with
GSS_Init_sec_context() - the acceptor should just accept contexts with
the acquired credential.

This way the order of /etc/gss/mech entries becomes irrelevant.

There's still the task of picking one of a credential's actual mechs, on
the initiator side, but usually there will be only one, so that's easy.
And if there's more then the application could pick the first one [sets
have no order] or a random member of that OID set, or according to some
configurable preference, or prompt for user input, etc...

I encourage you to change the application as described, rather than
change the order of /etc/gss/mech.

Cheers,

Nico
--