GSSAPI / SSPI call for help

swbell kerygma2 at swbell.net
Fri Jan 7 13:01:57 EST 2005 

in article BE03D4FB.1A83%bewskeet at mac.com, Bruce Wells at bewskeet at mac.com
wrote on 1/7/05 5:56 AM:

> Hello To All,
> I've been working with Kerberos in a Windows / Linux environment. The KDC is
> being run by a W2003 machine. My clients can reside on both Windows and
> Linux. These are my questions:
> 
> 1.) When a client is running on Windows acquiring the credentials are
> straight forward. The assumption is that the user that is currently logged
> on is the user whose credentials we will be acquiring. My question is this:
> What exactly is going on under the hood when you're on a Linux box and
> you're logged on as User A running  and you want to run an application as
> User B?. Let's say that you're required to enter your username / password.
> How does one go about getting the credentials for User B so that the program
> can carry on a GSSAPI exchange with a GSSAPI service running on Linux? When
> you call gss_acquire_cred, I'm assuming that the gsss / kerberos libraries
> are going back to the Windows KDC to get the handles to the credentials,
> correct? If all I'm getting back from the Windows KDC is a HANDLE to the
> credentials, do I really need to gather the password from the user?
> Or when you call gss_acquire_cred, is it assuming that credential
> information has already been imported into the local krb5.keytab file? If
> this is the case, are we saying that I must have keytab cred info for every
> user that's in setup in Windows Active Directory? Is there way to force the
> libraries to go back to the Windows KDC to get the credential information?
> 
> For the record, I can kinit any Windows from Linux (provided I know their
> password) and get their TGT as verified by klist so I know that the config
> file is set up correctly to use Windows 2003 as the KDC.
> 
> TIA for any and all help,
> Bruce.
> 
> 
> 
> 
> 
You should see if you can use gss_krb5_ccache_name.  This can be used to
make gssapi stuff work with credentials other than the logged in user (user
with creds in the default cache).

Use krb5_cc_resolve, and krb5_get_init_creds_password to set up an alternate
credentials cache for your other user.

More information about the Kerberos mailing list