How to re use the credentials handle to avoid network call for every request (same user).
Rahul G
rahulrasm at gmail.com
Mon Apr 3 13:26:04 EDT 2017
Thank you for the reply.
I was able to re use the Credentials from
gss_acquire_cred_impersonate_name() function by storing the creds specific
to user in a datastructure.
(I retrieve the creds from data structure and pass it to init_sec_context)
i could avoid one TGS_REQ with that change but this is like a hack.
I just wondered if kfw supported caching but you answered that.
I will keep an eye out for the solution.
Thank You Greg.
On Mon, Apr 3, 2017 at 12:40 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 03/31/2017 01:37 PM, Rahul G wrote:
> > I have a KCD implementation based on t_s4u.c, using
> > gss_acquire_cred_impersonate_name() and gss_init_sec_context(). This
> works
> > fine, giving my impersonator an auth token to the target server on behalf
> > of the client user. The problem is, my implementation does a TGS_REQ
> > subsequently for the same user and same target server. Is there a way I
> can
> > reuse the credentials that I received with the first auth token. We want
> to
> > avoid unnecessary network traffic, especially since the tickets have the
> > default expirations (10hrs).
>
> Unfortunately, we only made using cached S4U2Proxy credentials work in
> krb5-1.15 [1], while the most recent KfW release is based on krb5-1.13.
> I don't know of any application-level workaround that would help. As we
> only make KfW releases infrequently, it may be some time before there is
> a KfW release with this feature added; therefore, building the current
> or 1.15 krb5 sources on Windows may be the only way to get this to work
> in the near future.
>
> [1] http://krbdev.mit.edu/rt/Ticket/Display.html?id=8372
>
More information about the kfwdev
mailing list