gss_init_sec_context failing with SPNEGO

[Aakash]

Hi,

I am facing some problems while doing a gss_init_sec_context with
SPNEGO. take a look at the below snippet.

The API gss_init_sec_context_spnego is a wrapper over
gss_init_sec_context call. It prepares a negotiate token for the
initiator and encapsulates in a spnego packet. It will be called only
once.

During the first loop it creates the NegTokenInit token,
gss_init_sec_context_spnego returns GSS_S_CONTINUE_NEEDED (as
expected). Also I checked from ethereal, the server is responding with
a accept_completed and the negotiated mechanism.

Now as per RFC 4178 (SPNEGO), the client has to invoke
gss_init_sec_context with
input_token = negTokenTarg

I have done so, but gss_init_sec_context fails giving the reason
GSS-API error Error initializing security context: Invalid token was
supplied
GSS-API error Error initializing security context: No error

Am I doing something wrong while responding again back to the
server ??

<snip>
        do
        {
                OM_uint32 ret_flags1;
                fprintf(stderr, "NEXT.............................3\n");

                // first time call the wrapper function for spnego 
implementation
                if (neg_state == 0)
                {
                        printf ("executing spnego init\n");
                        gss_rc = gss_init_sec_context_spnego(&minor_status,
GSS_C_NO_CREDENTIAL,
                                &context_handle, serv_name, mech_type, 
GSS_C_MUTUAL_FLAG |
GSS_C_REPLAY_FLAG | GSS_C_DELEG_FLAG,
                                0, NULL, &input_token, NULL, &output_token, 
&ret_flags1, NULL);

                        neg_state = 1;
                }
                else
                {
                        printf ("executing normal init\n");
                        gss_rc = gss_init_sec_context(&minor_status, 
GSS_C_NO_CREDENTIAL,
                                &context_handle, serv_name, mech_type, 
GSS_C_MUTUAL_FLAG |
GSS_C_REPLAY_FLAG | GSS_C_DELEG_FLAG,
                                0, NULL, &input_token, NULL, &output_token, 
&ret_flags1, NULL);
                }

                if (gss_rc != GSS_S_COMPLETE && gss_rc != GSS_S_CONTINUE_NEEDED)
                {
                        display_status ("Error initializing security context", 
gss_rc,
minor_status);
                        goto cleanup;
                }

                cbv.bv_val = (char*)output_token.value;
                cbv.bv_len = output_token.length;

                retval = ldap_sasl_bind_s(ld, NULL, "GSS-SPNEGO", &cbv, NULL, 
NULL,
&sbv);

                if (!(retval == LDAP_SASL_BIND_IN_PROGRESS || retval ==
LDAP_SUCCESS))
                {
                        fprintf(stderr, "SASL Bind error:%s\n", 
ldap_err2string(retval));
                        goto cleanup;
                }

                if (sbv)
                {
                        input_token.value = sbv->bv_val;
                        input_token.length  = sbv->bv_len;
                }

        }while (gss_rc == GSS_S_CONTINUE_NEEDED);
</snip>

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos