Credentials for an arbitrary user.

Douglas E. Engert deengert at anl.gov
Tue Feb 3 15:09:58 EST 2004 


Kevin Burton wrote:
> 
> I am trying to interface with our Windows 2000 server using Kerberos. I
> would like a client to obtain a credential handle for a given user with a
> supplied password.

If the client is running on UNIX, you can setting KRB5CCNAME ....
then do a kinit then call your application. The gss_acquire_cred will use 
the underlying implementations method to find the credential. 

If the client is on Windows there are some other things you can do.

> Using GSSAPI this involves calling gss_init_sec_context
> and instead of passing GSS_C_NO_CREDENTIAL I would like to pass the opaque
> handle gss_cred_id_t which is obtained via gss_acquire_cred. The problem is
> that gss_acquire_cred only has the option to specify a credential by name

The name would be which credential in a credential cache. Its not what 
you might think.   

> (not password). So I am assuming that the way to go would be to look at what
> kinit does and then the "name" of the credential is probably the prinicipal
> name. I call the following:
> 
> krb5_init_context
> krb5_cc_default
> krb5_parse_name (passing the principal name name at domain)
> krb5_unparse_name (because that is what kinit does)
> 
> Then I call krb5_get_init_creds_password and I get an error indicating the
> my I/O flags are not appropriate. This is a Windows application so tty
> settings and I/O setting are not really applicable. Is there another way to
> get a set of credentials given a user name and password? Ideally I would
> like a gss_cred_id_t handle of the credentials but right now I would take
> anything.

(This is not tested:)
 #!/bin/sh
 KRB5CCNAME=FILE:/tmp/krb5_cc.appl.$$ i.e. make it unique
 export KRB5CCNAME
 kinit
 application
 kdestroy

If it has to be in the applicaiton how about something like:
  setenv("KRB5CCNAME", somefilename);
  system("kinit"); /* or call some krb5 routines */
  gss_acquire_cred();  
  

> 
> Thank you for your suggestions.
> 
> Kevin
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list