Jacques Lebastard wrote:
The Kerberos OID is specified when invoking gss_acquire_cred within=20 GSS-API server.
OK, but is the gss server able to actually acquire these creds? Usually, the server gets its credentials from a keytab file (/etc/krb5/krb5.keytab on Solaris 9).
Server has no problem acquiring its own cred (I even tried usage = GSS_C_BOTH to make sure there is no problem b/w Solaris server and Active Directory KDC).
> To make the system default to using the Kerberos mech, adjust the > lines in /etc/gss/mech file so that kerberos_v5 mechanism appears > before the mech_dh mechanisms.
Changing the entries in the mech file and restarting the GSS-API server=20 did not solve the problem. Would a server reboot make any difference ?
No, rebooting Solaris will probably not help.
What is the gssapi client requesting in it's initial token?
You might try analyzing the token that the gss-server is receiving
to make sure it is getting an initial token that requests the Kerberos
OID.
It does. The sole difference b/w accepted tokens and the refused one is the contents of the encrypted parts.
Anyway, the problem has been identified: the customer just informed me that the clock of the workstation was not properly synchronized.
However, if I try it here, I get an explicit GSS-minor error message.
Thanks for your contribution, -- Mr. Jacques LEBASTARD mailto:[EMAIL PROTECTED] EVIDIAN S.A. www.evidian.com Rue Jean Jaur�s Tel: +33 1 30 80 77 86 F-78340 LES CLAYES SOUS BOIS Fax: +33 1 30 80 77 99
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
