Credentials for an arbitrary user.
Kevin Burton
rkevinburton at charter.net
Tue Feb 3 18:12:01 EST 2004
The client will more than likely be running on UNIX but I need to test it on
Windows. Right now I am using KfW 2.6 beta.
Kevin
""Douglas E. Engert"" <deengert at anl.gov> wrote in message
news:40200016.401D0036 at anl.gov...
>
>
> Kevin Burton wrote:
> >
> > I am trying to interface with our Windows 2000 server using Kerberos. I
> > would like a client to obtain a credential handle for a given user with
a
> > supplied password.
>
> If the client is running on UNIX, you can setting KRB5CCNAME ....
> then do a kinit then call your application. The gss_acquire_cred will use
> the underlying implementations method to find the credential.
>
> If the client is on Windows there are some other things you can do.
>
> > Using GSSAPI this involves calling gss_init_sec_context
> > and instead of passing GSS_C_NO_CREDENTIAL I would like to pass the
opaque
> > handle gss_cred_id_t which is obtained via gss_acquire_cred. The problem
is
> > that gss_acquire_cred only has the option to specify a credential by
name
>
> The name would be which credential in a credential cache. Its not what
> you might think.
>
> > (not password). So I am assuming that the way to go would be to look at
what
> > kinit does and then the "name" of the credential is probably the
prinicipal
> > name. I call the following:
> >
> > krb5_init_context
> > krb5_cc_default
> > krb5_parse_name (passing the principal name name at domain)
> > krb5_unparse_name (because that is what kinit does)
> >
> > Then I call krb5_get_init_creds_password and I get an error indicating
the
> > my I/O flags are not appropriate. This is a Windows application so tty
> > settings and I/O setting are not really applicable. Is there another way
to
> > get a set of credentials given a user name and password? Ideally I would
> > like a gss_cred_id_t handle of the credentials but right now I would
take
> > anything.
>
> (This is not tested:)
> #!/bin/sh
> KRB5CCNAME=FILE:/tmp/krb5_cc.appl.$$ i.e. make it unique
> export KRB5CCNAME
> kinit
> application
> kdestroy
>
> If it has to be in the applicaiton how about something like:
> setenv("KRB5CCNAME", somefilename);
> system("kinit"); /* or call some krb5 routines */
> gss_acquire_cred();
>
>
> >
> > Thank you for your suggestions.
> >
> > Kevin
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list