Credentials for an arbitrary user.

[Wyllys Ingersoll]

Kevin Burton wrote:

>I am trying to interface with our Windows 2000 server using Kerberos. I
>would like a client to obtain a credential handle for a given user with a
>supplied password. Using GSSAPI this involves calling gss_init_sec_context
>and instead of passing GSS_C_NO_CREDENTIAL I would like to pass the opaque
>handle gss_cred_id_t which is obtained via gss_acquire_cred. The problem is
>that gss_acquire_cred only has the option to specify a credential by name
>(not password). So I am assuming that the way to go would be to look at what
>kinit does and then the "name" of the credential is probably the prinicipal
>name. I call the following:
>

GSSAPI does not have an API for getting initial credentials (i.e. 
'kinit' functionality). 
The user must establish their personal credentials external to the 
GSSAPI application
(example:  run kinit, then run the GSSAPI application).

>krb5_init_context
>krb5_cc_default
>krb5_parse_name (passing the principal name name at domain)
>krb5_unparse_name (because that is what kinit does)
>  
>
Depending on where you put this code, you are likely violating the 
abstraction
layer that GSSAPI was designed to provide. An application that calls
GSSAPI should never call an mechanism-specific API.

-Wyllys

>Then I call krb5_get_init_creds_password and I get an error indicating the
>my I/O flags are not appropriate. This is a Windows application so tty
>settings and I/O setting are not really applicable. Is there another way to
>get a set of credentials given a user name and password? Ideally I would
>like a gss_cred_id_t handle of the credentials but right now I would take
>anything.
>
>Thank you for your suggestions.
>
>Kevin
>
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>