Using GSSAPI to Authenticate to AD

Michael B Allen ioplex at
Thu Aug 28 15:55:27 EDT 2008

On Thu, Aug 28, 2008 at 9:12 AM,  <neelsmail at> wrote:
> - Now, how do I initialize the security context for userB if my
> process is running in root's context?
> I found one more thread about this :
> As mentioned in the thread above, it is possible to switch to
> different user security context using gss_krb5_ccache_name. There are
> problems there as well though:
> - If you want switch user contexts multiple times, in multiple
> threads, application's performance gets affected because initializing
> security context (or one of the steps in it) is a lengthy operation -
> on my setup it takes almost 5 seconds.
> - I believe the switch has to be synchronized so that unless
> gss_init_sec_context in one thread completes, I cannot call
> gss_krb5_ccache_name from anywhere else in my application - that
> increases the delay in multi threaded application even more.
> That was the reason why I wanted to know whether gss_init_sec_context
> somehow accepts a local parameter so that initializing security
> contexts of different users can be indepenent of each other.

The gss_init_sec_context function accepts a gss_cred_id_t parameter
that represents the initiator credential. This credential can be
obtained for an arbitrary account using the gss_acquire_cred function
provided a credential for the desired account is available for the
target mechanism.

There is no need to change your identity with setuid unless you will
be performing local operations that require the identity be a certain
local account. GSSAPI has no knowledge of local accounts and never
looks at the default identity of the user (however if no gss_cred_id_t
is supplied at all, the underlying mechanism may use the local
identity to guess where it might find credentials).

Meaning, you want to export the KRB5CCNAME environment variable to
point to a ccache file with credentials for the desired account. This
assumes of course that there is such a credential. Unfortunately
GSSAPI does not define how to acquire initial credentials. Like I said
- there are a lot of details that are not handled by GSSAPI alone.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list