How to get a GSSAPI context from a KRB5 credentials cache

beheer@topdesk.com beheer at topdesk.com
Tue Dec 1 12:52:30 EST 2009 

Hi,

I'm trying to modify Apache2-2.2.9 "mod_proxy_http" on Debian Lenny to send an "Authorization: Negotiate [base64_token]" header to a backend server in behalf of the user, but I have some problems generating the GSSAPI token.

As part of the authentication process, I use "mod_webauth", which creates a credentials cache in KRB5CCNAME=/var/lib/webauth/cred_cache/temp.krb5.xxxxxx with the correct credentials. What I want is to initialize a GSSAPI security context from this file, but I don't know how. I've looked around, and I can successfully create a Kerberos 5 context, but then I don't know how to transform this into GSSAPI:

   ccache_name = apr_table_get(r->subprocess_env, "KRB5CCNAME");
   if ( ccache_name == NULL) {
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                         "proxy: krb5_auth_headers: no KRB5CCNAME found");
   } else {
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                         "proxy: krb5_auth_headers: KRB5CCNAME %s found", ccache_name);

        /* Initialize Kerberos context and read credentials cache */
        ret_krb5 = krb5_init_context(&ctx);
        if (ret_krb5 != 0 )
                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                             "proxy: krb5_auth_headers: error initializing krb5 context");
        ret_krb5 = krb5_cc_resolve(ctx, ccache_name, &temp_ccache);
        if (ret_krb5 != 0 )
                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                             "proxy: krb5_auth_headers: KRB5CCNAME %s could not be resolved", ccache_name);

I would like to "somehow" transform the following Perl code into C:

        /*
         my $ctx = GSSAPI::Context->new();
         my $imech = GSSAPI::OID::gss_mech_krb5;
         my $iflags = 0 ;
         my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
         my $creds = GSS_C_NO_CREDENTIAL;
         my $itime = 0;
         my $itoken = q{};
         my $otoken;

         $status = $ctx->init($creds,$target,
                             $imech,$iflags,$itime,$bindings,$itoken,
                             undef, $otoken,undef,undef) or last;

        $status = $ctx->valid_time_left($ttl) or last;
        print "\n Security context's time to live $ttl secs";
        print "\n Negotiate ".encode_base64($otoken,"");
        */

However, how can I tell GSSAPI to use the credentials cache I just opened? I tried "gss_krb5_acquire_cred_cache" and "gss_export_cred", but they are not available in libgssapi-krb5-2 on my Debian installation. I also looked in Heimdal package, but no luck. :(

Could you please give me an orientation on what to do? Thank you very much! 

Kind regards,

--
Xesc

More information about the Kerberos mailing list