Hi, I have am developing an application for windows which does KCD.
I have compiled krb5 code for windows after checking out krb5-1.16 branch and using those dlls in my application. The flow is as follows: 1. Get the TGT for the service account. 2. Acquire impersonation token using GSS_API, this involves calling gss_acquire_cred() and gss_acquire_cred_impersonate_name() in order 3. Get the token. The GSS api used for the same are gss_init_sec_context(), gss_delete_sec_context() The code works fine and generates token most of the time but once in a while it crashes and the crash happens in library. The detailed API calls are as follows (removed the error checking to keep it short) 1. Get TGT code:- krb5_context krb_context; krb5_principal client_principal; //service account krb5_creds creds; krb5_keytab keytab; krb5_ccache ccache; krb5_init_context(&krb_context); krb5_cc_default(krb_context, &ccache); krb5_parse_name_flags(krb_context, service_un, KRB5_PRINCIPAL_PARSE_ENTERPRISE | KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &client_principal); krb5_get_init_creds_password(krb_context, &creds, client_principal , service_password, NULL, NULL, 0, NULL, NULL); krb5_cc_initialize(krb_context, ccache, client_principal); krb5_cc_store_cred(krb_context, ccache, &creds); 2. Get Impersonation token gss_buffer_desc buf; gss_OID_set_desc mechs; gss_buffer_desc user_cred_token; user_cred_token.length = 0; user_cred_token.value = NULL; mechs.elements = (gss_OID)gss_mech_krb5; mechs.count = 1; gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, &mechs, &impersonator_cred_handle, NULL, NULL); gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle, user, GSS_C_INDEFINITE, &mechs, GSS_C_INITIATE, &user_cred_handle, NULL, NULL); 3. Get token gss_init_sec_context(&minor, user_cred_handle, &initiator_context, TargetSpn, (gss_OID) gss_mech_krb5 , GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_MUTUAL_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, NULL, &token, NULL, &time_rec); gss_delete_sec_context(&minor, &initiator_context, NULL); As I mentioned above, this work wells for most of the time, except I see crashes happening frequently when the process is serving token for multiple users using the same service account. The crash stack trace are as follows (yes, there are 2 crashes happening at gss_acquire_cred_impersonate_name and gss_init_sec_context ) service_tcp_write::sendto_kdc.c:1113 address::0x7446B388 service_dispatch::sendto_kdc.c:1064 address::0x7446CFF4 service_fds::sendto_kdc.c:1423 address::0x7446D638 k5_sendto::sendto_kdc.c:1518 address::0x74469FC8 krb5_sendto_kdc::sendto_kdc.c:507 address::0x744697C0 krb5_get_cred_via_tkt_ext::gc_via_tkt.c:377 address::0x74470350 krb5_get_self_cred_from_kdc::s4u_creds.c:586 address::0x744CDC14 krb5_get_credentials_for_user::s4u_creds.c:705 address::0x744CC734 kg_impersonate_name::s4u_gss_glue.c:77 address::0x74604850 krb5_gss_acquire_cred_impersonate_name::s4u_gss_glue.c:156 address::0x746042B4 gss_add_cred_impersonate_name::g_acquire_cred_imp_name.c:421 address::0x745E1B6C gss_acquire_cred_impersonate_name::g_acquire_cred_imp_name.c:182 address::0x745E17A4 service_tcp_write::sendto_kdc.c:1113 address::0x7446B388 service_dispatch::sendto_kdc.c:1064 address::0x7446CFF4 service_fds::sendto_kdc.c:1423 address::0x7446D638 k5_sendto::sendto_kdc.c:1518 address::0x74469FC8 krb5_sendto_kdc::sendto_kdc.c:507 address::0x744697C0 krb5_tkt_creds_get::get_creds.c:1194 address::0x744627C8 krb5_get_credentials::get_creds.c:1272 address::0x74462488 get_credentials::init_sec_context.c:196 address::0x745F6FF4 kg_new_connection::init_sec_context.c:587 address::0x745F7CE4 krb5_gss_init_sec_context_ext::init_sec_context.c:987 address::0x745F6944 krb5_gss_init_sec_context::init_sec_context.c:1103 address::0x745F6868 gss_init_sec_context::g_init_sec_context.c:215 address::0x745D8B50 Any help in this is highly appreciated and please let me know if anything is missing and I would be happy to provide more details. Puran _______________________________________________ kfwdev mailing list kfwdev@mit.edu http://mailman.mit.edu/mailman/listinfo/kfwdev