Establishing client credentials (TGT etc.) with GSSAPI

Chris chriscorbell at gmail.com
Mon Feb 23 17:00:55 EST 2009


On Feb 20, 4:17 pm, Nicolas Williams <Nicolas.Willi... at sun.com> wrote:
> On Fri, Feb 20, 2009 at 01:24:06PM -0800, Chris wrote:
> > ...
> > Is it correct that, if you can't rely on default GSSAPI credentials
> > (i.e. login identity and pre-cached TGT), then a client should use
> > gss_acquire_credentials() to establish this? ...
>
> The GSS-API does not give you a way to acqiure initial credentials
> (i.e., anything involving interaction with the user to obtain things
> like principal name, password, smartcard/token PIN, ...).  That's out of
> scope for the GSS-API.

Thanks for the reply (and also for the offline reply).

Since this is the case (and btw the client is in C/C++) I added an
upstream call to KLAcquireInitialTicketsWithPassword(), and that did
the trick - the subsequent call to gss_acquire_cred() for the same
principal works now.

FWIW, I was slightly confused with the language in the GSSAPI RFC
which seems to indicate that an implementation of a mechanism (e.g.
Kerberos) is not necessarily compatible with that mechanism used on
its own.  Turns out in this case (at least in C), it's not only
compatible but *required* that you use the API for that mechanism on
its own to make credentials available before using GSSAPI.

- Chris



More information about the Kerberos mailing list