Credentials for an arbitrary user.

Kevin Burton rkevinburton at charter.net
Tue Feb 3 18:10:43 EST 2004 

I am taking this directly from the kinit source. I want this functionality
to be embedded in the app.

Kevin

"Wyllys Ingersoll" <wyllys.ingersoll at sun.com> wrote in message
news:401FF4A3.2050401 at sun.com...
> Kevin Burton wrote:
>
> >I am trying to interface with our Windows 2000 server using Kerberos. I
> >would like a client to obtain a credential handle for a given user with a
> >supplied password. Using GSSAPI this involves calling
gss_init_sec_context
> >and instead of passing GSS_C_NO_CREDENTIAL I would like to pass the
opaque
> >handle gss_cred_id_t which is obtained via gss_acquire_cred. The problem
is
> >that gss_acquire_cred only has the option to specify a credential by name
> >(not password). So I am assuming that the way to go would be to look at
what
> >kinit does and then the "name" of the credential is probably the
prinicipal
> >name. I call the following:
> >
>
> GSSAPI does not have an API for getting initial credentials (i.e.
> 'kinit' functionality).
> The user must establish their personal credentials external to the
> GSSAPI application
> (example:  run kinit, then run the GSSAPI application).
>
> >krb5_init_context
> >krb5_cc_default
> >krb5_parse_name (passing the principal name name at domain)
> >krb5_unparse_name (because that is what kinit does)
> >
> >
> Depending on where you put this code, you are likely violating the
> abstraction
> layer that GSSAPI was designed to provide. An application that calls
> GSSAPI should never call an mechanism-specific API.
>
> -Wyllys
>
> >Then I call krb5_get_init_creds_password and I get an error indicating
the
> >my I/O flags are not appropriate. This is a Windows application so tty
> >settings and I/O setting are not really applicable. Is there another way
to
> >get a set of credentials given a user name and password? Ideally I would
> >like a gss_cred_id_t handle of the credentials but right now I would take
> >anything.
> >
> >Thank you for your suggestions.
> >
> >Kevin
> >
> >
> >________________________________________________
> >Kerberos mailing list           Kerberos at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list