Credentials for an arbitrary user.

Kevin Burton rkevinburton at charter.net
Tue Feb 3 18:12:01 EST 2004


The client will more than likely be running on UNIX but I need to test it on
Windows. Right now I am using KfW 2.6 beta.

Kevin

""Douglas E. Engert"" <deengert at anl.gov> wrote in message
news:40200016.401D0036 at anl.gov...
>
>
> Kevin Burton wrote:
> >
> > I am trying to interface with our Windows 2000 server using Kerberos. I
> > would like a client to obtain a credential handle for a given user with
a
> > supplied password.
>
> If the client is running on UNIX, you can setting KRB5CCNAME ....
> then do a kinit then call your application. The gss_acquire_cred will use
> the underlying implementations method to find the credential.
>
> If the client is on Windows there are some other things you can do.
>
> > Using GSSAPI this involves calling gss_init_sec_context
> > and instead of passing GSS_C_NO_CREDENTIAL I would like to pass the
opaque
> > handle gss_cred_id_t which is obtained via gss_acquire_cred. The problem
is
> > that gss_acquire_cred only has the option to specify a credential by
name
>
> The name would be which credential in a credential cache. Its not what
> you might think.
>
> > (not password). So I am assuming that the way to go would be to look at
what
> > kinit does and then the "name" of the credential is probably the
prinicipal
> > name. I call the following:
> >
> > krb5_init_context
> > krb5_cc_default
> > krb5_parse_name (passing the principal name name at domain)
> > krb5_unparse_name (because that is what kinit does)
> >
> > Then I call krb5_get_init_creds_password and I get an error indicating
the
> > my I/O flags are not appropriate. This is a Windows application so tty
> > settings and I/O setting are not really applicable. Is there another way
to
> > get a set of credentials given a user name and password? Ideally I would
> > like a gss_cred_id_t handle of the credentials but right now I would
take
> > anything.
>
> (This is not tested:)
>  #!/bin/sh
>  KRB5CCNAME=FILE:/tmp/krb5_cc.appl.$$ i.e. make it unique
>  export KRB5CCNAME
>  kinit
>  application
>  kdestroy
>
> If it has to be in the applicaiton how about something like:
>   setenv("KRB5CCNAME", somefilename);
>   system("kinit"); /* or call some krb5 routines */
>   gss_acquire_cred();
>
>
> >
> > Thank you for your suggestions.
> >
> > Kevin
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> -- 
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>




More information about the Kerberos mailing list