Subject: re: racoon, gss-api auth, and win2k IPSec IKE ...
To: None <>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-net
Date: 06/05/2002 10:30:42
On 05/23/2002 17:51:04, I wrote:

>I have racoon (the racoon-20020507a package) on 1.5ZC succesfully
>establishing conections with a win2k (sp2, high encryption) machine,
>using preshared keys.  I'd really like to use the gss-api
>authentication instead.
>Has anyone ever gotten this to work?

Some more data: I snarfed samba-3.0-alpha17, rototilled the Samba code
to call into Heimdal internals instead of MIT internals for its
implementation of the MS setpasswd extensions, and used the Kerberized
``net join'' to get a principal for racoon host into PDC/kdc.

I added more debugging-level logging to racoon's gssapi.c.

I have confirmed that the stupid, stupid Win2k machine is sending its
principal as Unicode or UTF8 (i can never remember which is which).
If I ping from the NetBSD host to the win2k machine, the
gss_import_name() in racoon's gssapi_get_itoken() fails: instead of
gettting 'h' 'o' 's' 't' '/' , its getting
'h' '\0' 'o' '\0' 's' \0' 't' \0 '/' '\0'.

For testing purposes, I kludged in a heuristic: if the
gss_import_name() fails, and every other char (up to an odd-byte null)
is zero, then discard the nulls, and retry the gss_import_name().

With that, the second gss_import_name() of the win2k IKE partner succeeds.
But then gss_init_sec_context() fails for what seems to be the same
reason (its partner arg is a gss_name_t, which is syntactic sugar
for a Heimdal principal).

Is there _any_ hope of getting this to work by reworking all
the racoon-level code, to try ASCIIfying and retrying each and every
GSSAPI call after a name-related failure?  It's gross, I know, but I
hold little hope of getting Assar &co to redo the Heimdal GSSAPI
library to support Unicode strings (pushing the retry inside Heimdal's

Any other ideas?