[28641] in Kerberos
Re: gss_accept_sec_context
daemon@ATHENA.MIT.EDU (Kevin Coffman)
Fri Nov 2 09:26:20 2007
Message-ID: <4d569c330711020624i1bf95423mba405635d51c718e@mail.gmail.com>
Date: Fri, 2 Nov 2007 09:24:25 -0400
From: "Kevin Coffman" <kwc@citi.umich.edu>
To: "Manoj Mohan" <manojm@us.ibm.com>
In-Reply-To: <13545270.post@talk.nabble.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 11/2/07, Manoj Mohan <manojm@us.ibm.com> wrote:
>
> Hi,
>
> I am new to kerberos world.. so forgive my noviceness....
>
> I have a KDC running on linux and my client server are also on linux.. After
> registering the user principals and service principals when client is
> connecting to server, I can see from the klist that
> the service ticket is generated properly.
>
> However, at the server end..after succesfully executing gss_acquire_cred(),
> I am failing in gss_accept_sec_context with maj_stat: 851968, min_stat:
> -1765328154
>
> However, after some googling... I can see that kerberos error code goes only
> as far as -1765328157L...
> It looks like a big coincidence that we are getting that close an error to
> be an INCORRECT error
>
> Any pointers?
>
> Manoj
>From krb5.h: #define KRB5_KT_KVNONOTFOUND (-1765328154L)
This indicates that the client is getting a service ticket which was
produced with a key version (KVNO) that the server does not have in
its keytab file. I'd assume that you did a 'ktadd' for the service
and failed to update the keytab that the service is using. (Or the
client has an "old" service ticket and the server's keytab no longer
has that older version of the key.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
