Using GSSAPI to Authenticate to AD
neelsmail@rediffmail.com
neelsmail at rediffmail.com
Wed Aug 27 09:30:13 EDT 2008
On Aug 27, 1:53 pm, neelsm... at rediffmail.com wrote:
> Hi,
>
> I want to authenticate an Active Directory User using GSSAPI. The code
> would be in C++. To be specific here is the scenario:
>
> 1] End user adopts/creates one or more Active Directory users using
> any of the AD integration packages on Linux.
> 2] In my executable, which would be always running as root, I find out
> that I need to use AD user and authenticate using GSSAPI
> 3] I cannot impersonate as the user because that would change user
> context of whole process.
> 4] Therefore, I need to somehow find out whether there is already a
> ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
> GSSAPI: GSSAPI::Name->import?)
> 5] If not, process would obtain one.
> 6] Get the ticket and initialize the security context (Win32SDK:
> InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
> 7] Get the token and send it for authentication
>
> If the process is running in the user context which needs to be
> authenticated, it's easier and I have perl implemenation of it. But in
> this case, since process will always be running as root, I don't know
> if there is a way I can know/get ticket for authentication.
>
> Is there a sample/example that can, at least in parts if not
> completely, illustrate how this can be done using C/C++ somewhere?
>
> I found one link on MSDN but don't know whether that's the entire flow/
> applicable:http://msdn.microsoft.com/en-us/library/ms995352.aspx
>
> Any comments would be welcome.
>
> Thanks in advance,
> -Neel.
After searching for the answer, I believe the question above can be
shortened to:
How can I acquire handle to credentials of a different user than the
one process running as, without impersonating that user?
I found this post:
http://groups.google.co.in/group/comp.protocols.kerberos/browse_thread/thread/2c9a3e5f2d38ef86/5c09a9d4ee799b04?hl=en&lnk=st&q=gss_init_sec_context+%22KRB5CCNAME%22#5c09a9d4ee799b04
It mentions about setting KRB5CCNAME before calling gss_acquire_cred
which may be simple but that raises couple of questions:
- If I running a multi threaded application each thread needing to set
KRB5CCNAME so that it can call gss_acquire_cred, it will affect the
application. Is there a way to let gss_acquire_cred/
gss_init_sec_context know which credential cache to use without
blocking the whole app?
- Even though I can specify which credential cache file name to use
from within my app, any external "kinit" calls will still create
different files. Is there an api where I can specify what user I need
to get ticket of if already created?
Again, any comments will be welcome.
Thanks,
-Neel.
More information about the Kerberos
mailing list