using multiple credential cache files in a server
Alexandra Ellwood
lxs at MIT.EDU
Thu May 6 17:58:15 EDT 2004
You can do the same thing in MIT Kerberos with the function
OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name (OM_uint32 *minor_status,
const char *name,
const char **out_name);
which allows you to set and/or get the cache name used by the GSSAPI.
It lives in <gssapi/gssapi_krb5.h>.
On May 6, 2004, at 5:18 PM, Rick Macklem wrote:
> rmacklem at uoguelph.ca (Rick Macklem) wrote in message
> news:<e31bcb6b.0404231226.5cd1a21d at posting.google.com>...
>> A gssd daemon for an NFS client needs to be able to use the GSS API
>> call
>> gss_init_sec_context() on behalf of different users (uids). I can see
>> two
>> ways of doing this:
>> 1 - fork off a separate child that does setuid(user_uid) to get
>> context for
>> that user (seems inefficient)
>> OR
>> 2 - Get Initiator credentials for the principal and use those in the
>> gss_init_sec_context() call. This seems preferable, but requires
>> that
>> the server switch to the credentials cache file for the
>> appropriate uid
>> associated with that principal. (At least it seems that a
>> credentials
>> cache file with the correct tgt is required to get Initiator
>> Credentials.)
>>
>> This leads me to my question:
>> How do you get the Kerberos libraries to switch to a different
>> credential cache
>> file whenever you want to get Initiator Credentials for a different
>> uid?
>>
> I don't usually answer my own questions, but I thought someone might be
> interested in how it can be done...
>
> This works using Heimdal (but not MIT's sources, I suspect):
> You can get GSS API Initiator Credentials on behalf of different users
> using
> code something like this:
> extern krb5_context gssapi_krb5_context; /* Internal, YUCK! */
> gss_cred_id_t cred = NULL;
>
> ...
> /*
> * get Initiator cred for a different user.
> */
> if (cred) {
> krb5_cc_close(gssapi_krb5_context, cred->ccache);
> free(cred);
> cred = NULL;
> }
> sprintf(ccname, "/tmp/krb5cc_%d", uid);
> kret = krb5_cc_set_default_name(gssapi_krb5_context, ccname);
> if (!kret) {
> major = gss_acquire_cred(&minor, GSS_C_NO_NAME, ...);
>
> which seems to work ok, assuming the daemon can access the different
> uid's
> cred cache files in /tmp.
>
> Probably not considered acceptable, since it relies on Heimdal's GSS
> API
> internals, but it works, rick
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--lxs
-----------------------------------------------------------------------
Alexandra Ellwood lxs at mit.edu
MIT Information Services & Technology http://mit.edu/lxs/www/
-----------------------------------------------------------------------
More information about the Kerberos
mailing list