GSSAPI / SSPI call for help

Bruce Wells bewskeet at mac.com
Fri Jan 7 06:56:11 EST 2005


Hello To All,
I've been working with Kerberos in a Windows / Linux environment. The KDC is
being run by a W2003 machine. My clients can reside on both Windows and
Linux. These are my questions:

1.) When a client is running on Windows acquiring the credentials are
straight forward. The assumption is that the user that is currently logged
on is the user whose credentials we will be acquiring. My question is this:
What exactly is going on under the hood when you're on a Linux box and
you're logged on as User A running  and you want to run an application as
User B?. Let's say that you're required to enter your username / password.
How does one go about getting the credentials for User B so that the program
can carry on a GSSAPI exchange with a GSSAPI service running on Linux? When
you call gss_acquire_cred, I'm assuming that the gsss / kerberos libraries
are going back to the Windows KDC to get the handles to the credentials,
correct? If all I'm getting back from the Windows KDC is a HANDLE to the
credentials, do I really need to gather the password from the user?
Or when you call gss_acquire_cred, is it assuming that credential
information has already been imported into the local krb5.keytab file? If
this is the case, are we saying that I must have keytab cred info for every
user that's in setup in Windows Active Directory? Is there way to force the
libraries to go back to the Windows KDC to get the credential information?

For the record, I can kinit any Windows from Linux (provided I know their
password) and get their TGT as verified by klist so I know that the config
file is set up correctly to use Windows 2003 as the KDC.

TIA for any and all help,
Bruce.







More information about the Kerberos mailing list