I use build 4 and in general it works fine. I have now compiled the
gss-sample test client and server on Opensolaris and Solaris 10 build 4.

On OpenSolaris I get:

client:
./gss-client -port 11000 -mech 1.3.6.1.5.5.2 opensolaris.solaris.home HTTP
test
Sending init_sec_context token (size=606)...continue needed...

context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
"markus@SOLARIS.HOME" to "HTTP/opensolaris.solaris.home@SOLARIS.HOME",
lifetime 35860, flags 136, locally initiated, open
Name type of source name is { 1 2 840 113554 1 2 2 1 }.
Mechanism { 1 3 6 1 5 5 2 } supports 4 names
0: { 1 2 840 113554 1 2 1 1 }
1: { 1 2 840 113554 1 2 1 2 }
2: { 1 2 840 113554 1 2 1 3 }
3: { 1 3 6 1 5 6 2 }
Signature verified.

server:
context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
Accepted connection: "markus@SOLARIS.HOME"
Received message: "test"
NOOP token


whereas on Solaris 10 I get:

client:
../gss-client -port 11000 -mech 1.3.6.1.5.5.2 solaris10 HTTP Test
Sending init_sec_context token (size=581)...continue needed...reading token
flags: 0 bytes read

server:
../gss-server -port 11000 HTTP
GSS-API error accepting context: No credentials were supplied, or the
credentials were unavailable or inaccessible
GSS-API error accepting context: No error

So it looks to me like a bug in Solaris 10.

Markus


"Douglas E. Engert" wrote in message
news:4884B822.8030504@anl.gov...
>
>
> Markus Moeller wrote:
>> I tried to use my squid_kerb_auth on Solaris 10 and fail. My configure
>> determines it supports SPNEGO but when I use it I get
>>
>> 2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No
>> credentials were supplied, or the credentials were unavailable or
>> inaccessible. No error
>> BH gss_accept_sec_context() failed: No credentials were supplied, or the
>> credentials were unavailable or inaccessible. No error
>> 2008/07/20 16:11:37| squid_kerb_auth: User not authenticated
>>
>> To test it I did a kinit as a user and run squid_kerb_auth_test which
>> creates a base64 encoded token.
>> ./squid_kerb_auth_test testserver.solaris.home
>> Token: YIICPAYGKwYBBQUCoIICMDCCAiygDTALBg......
>>
>> I use then the token as input to squid_kerb_auth
>>
>> ./squid_kerb_auth -i -d <
>>> YIICPAYGKwYBBQUCoIICMDCCAiygDTALBgkqh...
>>> !

>>
>> 2008/07/20 16:11:36| squid_kerb_auth: Starting version 1.0.1
>> 2008/07/20 16:11:36| squid_kerb_auth: Got 'YR YIICPAYGKwYBBQUCoII....
>> from
>> squid (length: 771).
>> 2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No
>> credentials were supplied, or the credentials were unavailable or
>> inaccessible. No error
>> BH gss_accept_sec_context() failed: No credentials were supplied, or the
>> credentials were unavailable or inaccessible. No error
>> 2008/07/20 16:11:37| squid_kerb_auth: User not authenticated
>>
>>
>> When I do the same on any other platform (including Opensolaris) it works
>> fine. Also when I configure squid_kerb_auth without -DHAVE_SPNEGO it
>> works
>> fine e.g. I get:
>>
>> 2008/07/20 16:11:07| squid_kerb_auth: Starting version 1.0.1
>> 2008/07/20 16:11:07| squid_kerb_auth: Got 'YR YIICEQYJKoZIhvcSAQICAQB....
>> from squid (length: 715).
>> 2008/07/20 16:11:07| squid_kerb_auth: parseNegTokenInit failed with
>> rc=102
>> 2008/07/20 16:11:07| squid_kerb_auth: Token is possibly a GSSAPI token
>> AF AA== markus@SOLARIS.HOME
>> 2008/07/20 16:11:07| squid_kerb_auth: AF AA== markus@SOLARIS.HOME
>> 2008/07/20 16:11:07| squid_kerb_auth: User markus@SOLARIS.HOME
>> authenticated
>>
>>
>> Is this a know problem with Solaris 10 or must I specify the right
>> mechanism
>> ?
>>

>
> I had some problems with mod_auth_kerb with SPNEGO on Solaris 10, bit
> mostly
> with storing delegate credentials.
> http://opensolaris.org/jive/thread.j...59270&tstart=0
>
> It might have to do with what maintenance level you are at.
> Over the life of Solaris 10, Sun has made quite a few changes, including
> adding the Kerberos header files. ldd might also show something.
>
>>
>> Thank you
>> Markus
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>

>
> --
>
> Douglas E. Engert
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>