A little trouble understanding kerberos GSS-API. My KDC is Windows 2k host1 is solaris 7 host2 is NT 4 with leash32 2.1.1.1
On my 2k KDC I defined the following principals. ktpass -princ [EMAIL PROTECTED] -mapuser user1 -pass password -out 1.keytab ktpass -princ [EMAIL PROTECTED] -mapuser user2 -pass password -out 2.keytab ktpass -princ [EMAIL PROTECTED] -mapuser junkuser1 -pass password -out 11.keytab ktpass -princ [EMAIL PROTECTED] -mapuser junkuser2 -pass password -out 12.keytab on host1 I run: #kinit user1 #gss-server rcmd If I call (gss-client host1 rcmd "test") from the same computer (host1) it works great. On host2 I kinit as user2 and call gss-client, it fails with the imported name is [EMAIL PROTECTED] Sending init_sec_context token (size=1240)...continue needed... GSS-API error initializing context: Miscellaneous failure GSS-API error initializing context: Generic error (see e-text) gss-server prints: Wrong principal in request On host2 #kinit user2 #gss-server rcmd If I call (gss-client host2 rcmd "test") from the same computer (host2) it works great but if I try it from host1 it doesn't work. The results are the same as above. Basically it will only work if I run both gss-client and gss-server on the same computer. What am I doing wrong? Why does it automatically append the hostname and realm when importing the name? Do I need to kinit as junkuser1 or junkuser2? What's the relationship between -princ and -mapuser? Is it just because I can't create a multi part principal name in windows? Can I just create dummy users for the princs? Am I correct in assuming that: 1. the gss-server is basically acting as an application server? 2. the gss-client gets the ticket for the service specified on the command line? Many thanks in advance ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
