Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Usage: fortune -P [-f] -a [xsz] Q: file [rKe9] -v6[+] file1 ...

devel / comp.protocols.kerberos / Re: GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not found in keytab

SubjectAuthor
o Re: GSS-API error gss_accept_sec_context: Request ticket server HTTP/Greg Hudson

1
Re: GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not found in keytab

<mailman.124.1668192317.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=325&group=comp.protocols.kerberos#325

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghud...@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: Re: GSS-API error gss_accept_sec_context: Request ticket server HTTP/
not found in keytab
Date: Fri, 11 Nov 2022 13:44:54 -0500
Organization: TNet Consulting
Lines: 32
Message-ID: <mailman.124.1668192317.8148.kerberos@mit.edu>
References: <CAGshih-EXCKjUbs0EGjOUL9fn5ZrAnqWP5wvgX=-xVPUTTKr5Q@mail.gmail.com>
<CAGshih9QY8hga0WDf+uc-Fgt6m3AUFLsas7LgtVNMQjs3m-K6A@mail.gmail.com>
<81516897-8535-0d62-ac52-3ffaf151d86f@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="11583"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Thunderbird/102.2.2
To: Kerberos Enthusiast <kerberos.enthusiast@gmail.com>, kerberos@mit.edu
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1668192315; bh=POV/S9rW2/Hq+9dPvg+AkFvermg+MSng6qMSnver2fo=;
h=Date:Subject:To:References:From:In-Reply-To;
b=XtleVxOWfxCozof5Vtj4AEe4P1k0xUnCK2nWMenANQO8+B7xDyZ/hImkC/eJCsDYS
VdlXYD+7nXtnVbITEWS/mGT0epNOxBwWnfSRchR82R/EUPNimqbVaaMGvlVj51Lmzs
A1vljCG2LROGFcf+5MOvPC9maTqCiJxkeETwETVz8uBzudeS3mHYhnwm70aOuEaF0d
vJwbkBq+Vn0RBy8ETF2EBLRFENc8qDS3TLyqviE1Klr/SOsgg1QaGsDzqMyQnlOAMP
6WOmQQQ87qEbaVi1lq2h6S90Cwv6T+UtnodL7w3obCQPlERDG+hF1WYkn0qEuIl7Rd
NZ0gbA+Y3nxdA==
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=K12jMPRUFAPbILFGOt9gMfeY8/2a/NEI7JhuR2bqfbCgowSwR0KwCWagCrPfuUHpTFeZXaLo5K08Vc0jiJ4TUsWja+kOFWmAh4DnE3+tPm74QpTXsVwBPwwxJZs7TFo6ZChgCACpAT0IV4/2CD76iNz8JI32KlHAMpT7G7XoyvJS9zNMaJMJvUiYAWAC0uXmtRTiLCLS8WkCrFDXQL5NHeY33P95UV4XIu8viPfF7mqGskMvUYEwKXLTpL59xcRfkz+QC3lW9Ue2F1M/HsEI74mWq+JTfX11HNSnaCP56JVM06lxrVXDHdBwXwbC73Ls7WrUvBua91twblpUCkpjCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=POV/S9rW2/Hq+9dPvg+AkFvermg+MSng6qMSnver2fo=;
b=X3/iM4FqeTOjBoUGa/zHmcdY9N+hvkLCpw/n/HE/Mdiy28Gn/9DvHw268LuMhvX7UPsAy3kQUGj5zvWTXyRFp40EshHuL3GjacqVjyH+pWp5SM8xks3j44WwpItiGXK8ehH4excNv9shBXpKe5Ql23ZBD3Bc9Dk7FnVOAiIjUZ3kycfiXtIPMOpmDeS2cTD4we2BNwyQhlUvHlq2lwWGLbx9Dlt71lNEctq6Pj6/yUn4qNmpZb9ufSaS3MIysYvnBxAu5MtozWrNWEnH0HoRFWt6J36pnXOhkB8VO+b1ztQTdzc5xbI/6ozzEwtk5J+kBnopaA8dUgXFSTRoyF4sSw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
18.9.28.11) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=pass
(signature was verified) header.d=mit.edu; arc=none (0)
Authentication-Results: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1668192297; bh=POV/S9rW2/Hq+9dPvg+AkFvermg+MSng6qMSnver2fo=;
h=Date:Subject:To:References:From:In-Reply-To;
b=LosGA9/w68iaT73hpFJUe4iRgizZLYOvEyjARL+SL+FPaA688TpxB+D1smuFpgD3R
Zv4gIL3fzzm5fqa7s46hNGv0cxeS/EUp7U7MDJsRZl/QZSRSitXr6RcOlpAjJx7P3X
4X1tyA/I456RMdPglZYY8PKjA+E/MOCxQBhe9qsMz4Wbtu68vK/CeZjiS4lxVFmsdH
9PJQhoLgRVo2A8cGAWDvtE9LlXJMd9DYo+zpPaoOGQjhswLbSXQoXkYhFEXiJy2YYe
aMW8s2kxe6cltBgWavFiZ5rXokmU7sZ5hkbCtSyjUuClXKgLdB37cH9G+SHNfCvWsM
HzNXQR4C0KxEQ==
Content-Language: en-US
In-Reply-To: <CAGshih9QY8hga0WDf+uc-Fgt6m3AUFLsas7LgtVNMQjs3m-K6A@mail.gmail.com>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000B8ED:EE_|MW4PR01MB6483:EE_
X-MS-Office365-Filtering-Correlation-Id: f9346934-9929-4ab3-101e-08dac414dc3a
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: NLjI/X4NSSeKhqeBZ+kPD245TM692ovhRxvUB81C9nOfAPFP6SNE9K153Ku4WpCSY0+dAHb/gjnbHZmal7TurBT0dTRRZc+CLZjpovYdcGoIhNyfgFdOITr++PhvIEVnwAB1ZZSiHcPX4Gu+vyLbDYATdsrIAWz216kKSwXP3eWJShnhfxevZzehLBLRtoKsPptsyFDBDajVPOhe+LgrqqOh42uUDIrbIJiODjyYGr3j18UoUxWGepwljcwG4kltp3RHxtCsvu1hNr89P2LgW73XjVP+cSChie68kvS4rFVl59GkEsuuqWFrEXcUhHuLVGqvc37LL5kVK4fxrBjYpvrwyib9B5QkcBpJ3iFX8pZF7cK62Ks+jRkcKkPwdHnfSID1oZXvtrpcoqMt6tXJAg7ullM5iMktkbDiGw7SphhCVEyusYw/i0s7WgNDPKF92G/FO9xH8+vyV634oTtIL4PjT3ik8jyQf7OsIYb8PEhTVNg+jx1iH2PJVMF5/oy/0RJYW00d4QjsI3oXx3mEN+OJNBs6nGscpYaV4iak2boR9ospbGeP2K6SgbKhwLP5VfkeuF3o7wnj8FI54NKIND4U6ddqHKp0GKVkAO8jbcDwY9/Gv16lR6qRMqXsBO6+354I9dfqbKczdXG0FoniUlPy85LDtnEleZ1jGQd2bscf35sUkYHpFVsPsHesoYgP6V1a3MBtrNDoIFjqM3DBY960VrvCJCzw5XSP0FYHRkhSWEmf//N9fYPUpbxmsoHuo3Zg9OB31Mro0RFdJfzY8kzDH53dWPKxQHT1B6CnNko32YOpX6BV5F1wuAdy8hNsYD2/1hfYQQ8RxRB6X6aIMQc9f8J1wnCzMC1vdhosklRTwyKFXZEBMqMfHXKxxHJadFHwsn0tLVZAqrLu/Kk6Ag==
X-Forefront-Antispam-Report: CIP:18.9.28.11; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:outgoing.mit.edu; PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230022)(4636009)(136003)(396003)(346002)(39860400002)(376002)(451199015)(966005)(356005)(478600001)(426003)(26005)(336012)(31686004)(956004)(2616005)(7696005)(316002)(75432002)(53546011)(786003)(6636002)(5660300002)(8676002)(68406010)(83380400001)(86362001)(6706004)(31696002)(70586007)(2906002)(36756003)(43740500002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Nov 2022 18:45:09.5936 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f9346934-9929-4ab3-101e-08dac414dc3a
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000B8ED.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR01MB6483
X-OriginatorOrg: mit.edu
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <81516897-8535-0d62-ac52-3ffaf151d86f@mit.edu>
X-Mailman-Original-References: <CAGshih-EXCKjUbs0EGjOUL9fn5ZrAnqWP5wvgX=-xVPUTTKr5Q@mail.gmail.com>
<CAGshih9QY8hga0WDf+uc-Fgt6m3AUFLsas7LgtVNMQjs3m-K6A@mail.gmail.com>
 by: Greg Hudson - Fri, 11 Nov 2022 18:44 UTC

On 11/11/22 10:33, Kerberos Enthusiast wrote:
> It seems, if multiple servers supply separate keytabs, then the
> subsequent kerberos auth request targeted for multiple kerberos servers
> with separate keytabs and application keep on
> updating "default_keytab_name" global variable and it causes some of the
> authentication requests to fail and it throws this error

There is no global variable named default_keytab_name in MIT krb5.
There is a krb5.conf configuration variable with this name, but it is
never changed by the GSS or Kerberos libraries.

> *"GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not
> found in keytab" *(major code - 186a5, d0000)

This message is a little bit puzzling, because the principal name
("HTTP/") is incomplete, and because the message of this form in the
code includes a parenthetical about the ticket kvno.

> Using this api *krb5_gss_register_acceptor_identity() *to set the default
> keytab file for kerberos authentication.

This function sets a thread-specific global variable. It should work to
invoke it before each call to gss_acquire_cred(), or before each call to
gss_accept_sec_context() using the default acceptor credential. Or:

> Can we use any other gss_api to maintain the local context of the keytab
> file and send this keytab for every authentication request?

gss_acquire_cred_from() allows the caller to specify a keytab name when
acquiring credentials. See:

https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html#credential-store-extensions

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor