gss_acquire_cred on Windows

Question

I'm trying to acquire credentials for Administrator on Windows host. I'm under mingw64_shell.

Here is my credential:

$ klist Credentials cache: FILE:/tmp/krb5cc_1049076 Principal: Administrator@CORP.PEROKSID.COM

Issued Expires Principal Jan 4 10:14:07 2016 Jan 4 20:14:07 2016 krbtgt/CORP.PEROKSID.COM@CORP.PEROKSID.COM

Here is my code:

#include <stdio.h>
#include <string.h>
#include <gss.h>

static void doDisplay(const char *m,OM_uint32 code,int type)
{
    OM_uint32 maj_stat, min_stat;
    gss_buffer_desc msg;
    OM_uint32 msg_ctx;

    msg_ctx = 0;
    while (1)
    {
        maj_stat = gss_display_status(&min_stat, code,
                                      type, GSS_C_NULL_OID,
                                      &msg_ctx, &msg);
        printf("GSS-API error %s - type: %s code: %d, msg: %s\n", m,
             type == GSS_C_GSS_CODE ? "major" : "minor",
             code,
             (char *)msg.value);
        gss_release_buffer(&min_stat, &msg);

        if (!msg_ctx)
            break;
    }
}

void displayError(const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat)
{
    doDisplay(msg, maj_stat, GSS_C_GSS_CODE);
    doDisplay(msg, min_stat, GSS_C_MECH_CODE);
}



int getCreds(const char *service_name, gss_cred_id_t *server_creds)
{
    printf ("Test name: %s\n", service_name);
    gss_buffer_desc name_buf;
    gss_name_t server_name;
    OM_uint32 maj_stat, min_stat;

    name_buf.value = service_name;
    //name_buf.length = strlen(name_buf.value) + 1;
    name_buf.length = strlen(name_buf.value);
    maj_stat = gss_import_name(&min_stat, &name_buf,
                               (gss_OID) GSS_C_NT_HOSTBASED_SERVICE, &server_name);
    if (maj_stat != GSS_S_COMPLETE)
    {
        displayError("importing name", maj_stat, min_stat);
        return -1;
    }
    maj_stat = gss_acquire_cred(&min_stat, server_name, 0,
                                GSS_C_NULL_OID_SET, GSS_C_ACCEPT,
                                server_creds, NULL, NULL);

    if (maj_stat != GSS_S_COMPLETE)
    {
        displayError("acquiring credentials", maj_stat, min_stat);
        return -1;
    }

    (void) gss_release_name(&min_stat, &server_name);

    return 0;
}

int main(int argc, char** argv) {
        gss_cred_id_t gsscreds;
        if(getCreds(argv[1], &gsscreds) != 0)
                return 1;
}

I have compiled it as a.exe. I run it:

$ ./a.exe 'Administrator@CORP.PEROKSID.COM' Test name: Administrator@CORP.PEROKSID.COM GSS-API error acquiring credentials - type: major code: 458752, msg: No credentials were supplied, or the credentials were unavailable or inaccessible GSS-API error acquiring credentials - type: minor code: 11, msg: No principal in keytab matches desired name

How I can fix this error?

Answer 1

You probably misunderstood the API. The servername you are importing with GSS_C_NT_HOSTBASED_SERVICE is your target server. gss_acquire_cred needs an initiate crdential. accept is for servers/services. Services do work with keytabs only and client with caches or client keytabs. Since you have a valid credential cache for a user principal, you want to initiate a context with a client redential.