"Rob Crittenden" <rcritten_at_redhat.com> wrote in message
news:4A158E90.6020903_at_redhat.com...
> On Solaris 9 I'm having an issue where --negotiate isn't working because
> the wrong mechanism is being used. The error I see is:
>
> gss_init_sec_context() failed: : mech_dh: No secret key
>
> The problem can be fixed by re-ordering /etc/gss/mech to have kerberos
> first (it is currently one of the Diffie-Hellman algos).
>

That seems a good way to set the default gss mechanism.

> My question is: Is this the accepted way of doing it?
>
> An alternative would be to pass in the kerberos OID to
> gss_init_sec_context() as the mechanism. I did this by passing the krb5
> OID string to gss_str_to_oid() and using the resulting token in the
> gss_init_sec_context() call.
>

That is also a good way to force the use of Kerberos

> My GSS-API mech file is dated 2004 so I'm assuming it was copied off the
> install CD and never touched since. I don't want to assume that bad things
> won't happen if I re-order the file :-)
>
> thanks
>
> rob
>

Maybe some people on the Kerberos list can provide more suggestions.

Markus