Hello, We're using MIT Kerberos v5-1.10.3 . Occasionally we're seeing authentication failures. The gss_display_status call on the minor status code returned by the gss_accept_sec_context (major status == GSS_S_FAILURE) gives the following error message: *Cannot create replay cache file /var/tmp/host_1000: File exists. *
Why does this happen? The problem, however, does seems to resolve itself. Prakash Prakash N | 408 771 4273 On Tue, Feb 4, 2014 at 11:15 AM, Prakash Narayanaswamy <prak...@nutanix.com> wrote: > Greg, the patch that you gave us fixed the issue. Thanks for the prompt > debugging and a quick patch. > > > Prakash > > > > > On Mon, Feb 3, 2014 at 6:53 PM, Prakash Narayanaswamy <prak...@nutanix.com > > wrote: > >> Thanks a lot, Greg. We'll take the patch, apply it, test it and get back >> to you. Thanks again. >> >> Prakash >> >> Prakash N | 408 771 4273 >> >> >> >> On Mon, Feb 3, 2014 at 6:31 PM, Greg Hudson <ghud...@mit.edu> wrote: >> >>> On 02/03/2014 02:26 PM, Prakash Narayanaswamy wrote: >>> > Hello, We are trying to get a service (a SMB server) running on Linux >>> > kerberized using the GSS API. During the negotiation (SPNEGO), the >>> Windows >>> > SMB client specifies MS KRB5 (1.2.840.48018.1.2.2) as the preferred >>> > mechanism and supplies the initial token. The gss_accept_sec_context >>> method >>> > on the server accepts the token and generates a *NegTokenResp*, >>> setting the >>> > *negState* to *"accept-completed"* and *supportedMech* to *KRB5 >>> > (1.2.840.113554.1.2.2)* among other things. >>> [...] >>> > The question now is this: Is there a better way of doing this? Are we >>> > missing something here? >>> >>> Nope, it's just a bug. I apparently introduced it in 1.10 when fixing >>> another issue. Thanks for investing it in enough detail to make it easy >>> to find the mistake. >>> >>> Here is a candidate fix, which should make its way into master and >>> 1.12.2: >>> >>> https://github.com/greghudson/krb5/commits/spnegofix >>> >>> Here is the bug-tracker entry I filed: >>> >>> http://krbdev.mit.edu/rt/Ticket/Display.html?id=7858 >>> >> >> > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos