[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

seam client's sequence number

To: "'Heimdal'" <heimdal-discuss@sics.se>
Subject: seam client's sequence number
From: "Zi-Bin Yang" <zbyang@decru.com>
Date: Tue, 4 Nov 2003 11:44:46 -0800
Importance: Normal
In-Reply-To: <amekwokiji.fsf@nutcracker.stacken.kth.se>
Organization: Decru, Inc.
Sender: owner-heimdal-discuss@sics.se

I've been working on implementing RPCSEC_GSS for our NFS server, but I
have some trouble with the GSS token sent by the NFS client, which runs
in SunOS 5.9 on i386.

Specifically, gss_accept_sec_context() accepting GSS token from the
client succeeds, but gss_verify_mic() and gss_unwrap() fails at checking
the remote sequence number.  I traced through gss_accept_sec_context()
in the following series of calls:

    accept_sec_context.c:gss_accept_sec_context()
      rd_req.c:krb5_rd_req()
        rd_req.c:krb5_verify_ap_req()
          rd_req.c:krb5_verify_ap_req2()
            rd_req.c:descrypt_authenticator()
              codec.c:krb5_decode_Authenticator()
                asn1_Authenticator.c:decode_Authenticator()

and figured that in the last call, when it's trying to get the sequence
number, it reaches the end of buffer and didn't get the sequence number.

In RFC 1964, Section 1.1.1, it clearly states that "the authenticator
shall include the optional sequence number."  So it seems the SEAM
client is in clear violation of the RFC?  Has anyone run into this
problem before?  Any suggestion?  Thanks in advance!

Zi-Bin Yang
DECRU, INC.

References:
- Re: New installation for GSSAPI, sample application error
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: New installation for GSSAPI, sample application error
Next by Date: LDAP layouts for Heimdal
Prev by thread: Re: New installation for GSSAPI, sample application error
Next by thread: Re: Propagating MIT-Kerberos Database to Heimdal KDC
Index(es):
- Date
- Thread