Subject: Re: racoon, gss-api auth, and win2k IPSec IKE ...
To: None <tech-net@netbsd.org, fvdl@netbsd.org>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-net
Date: 06/06/2002 18:44:55
In message <200206051730.KAA26026@Pescadero.DSG.Stanford.EDU>Jonathan Stone writ
es
[ MS puts UTF-8/unicode strings in what should be an ASCII principal-name]
>Is there _any_ hope of getting this to work by reworking all
>the racoon-level code, to try ASCIIfying and retrying each and every
>GSSAPI call after a name-related failure?
`Almost...'' Turns out out there's an misfeature/bug in Heimdal:
Heimdal's gss_init_sec_context() uses a helper, init_auth(),
which leaves junk/zeros in the auth_context's keytype and cksumtype.
I dunno about MIT krb5, but win2k doesn't like that at all.
Explicitly setting those fields to a supported type, e.g.,
this_cred.session.keytype = 0;
+ (*context_handle)->auth_context->keytype = KEYTYPE_DES;
+ (*context_handle)->auth_context->cksumtype = CKSUMTYPE_CRC32;
works much better. With that, the gss-api mechanism to a WIN2K/SP2
client, and a win2k/sp2 PDC, seems to work: racoon gets as far as
computing its DH public/private pair. But I'm still not seeing
phase2, so maybe the Windows box is unhappy with the de-unicoded names
racoon is now sending it (or maybe I need to add unicode->ascii compaction
elsewhere.
I'll ask Assar &c on heimdal-discuss about the Heimdal GSSAPI vs win2k
issues. Anyone else interested in poring over racoon traces?
PS: mucho thanks to Frank and Zembu for adding the GSSAPI hooks to racoon.