Using tickets for several users

Kupchuk, Mikhail Mikhail.Kupchuk at billing.ru
Tue Dec 20 01:49:14 EST 2011


Hello, guys!

I need to do the following task:
Authenticate in KDC (MS Domain Controller) using login/pass received from user (by HTTP, but it does not matter here), get ticket.
Forward that ticket to another host (i request proxiable ticket, so that's ok) and use it in HTTP Negotiate authentication (libcurl + GSS API).

Everything goes ok while I test the scheme using one user. But when I forward several users tickets to second host i face the problem that GSS/KRB library can't find stored user's credentials in credentials cache.

Here is the simplified scheme that I use:

"Entrance", auth host:
// global section, executed only once
krb5_init_context // init context
krb5_cc_default // use default credentials cache

// section being performed for each new user krb5_... // prepare principal and options krb5_get_init_creds_password // authenticate user in KDC and get a ticket custom_functions... // serialize and send credentials data to second, "working" host

"Working" host:
// global section, executed only once
krb5_init_context //init context
krb5_cc_resolve/krb5_cc_default // use default/specified credentials cache krb5_cc_initialize // initialize credentials cache

// section being performed for each new user custom_functions... // get credentials data from "entrance" host and deserialize it krb5_cc_store_cred // store received credentials in cache gss_import_name // prepare principal gss_acquire_cred // get credentials from cache gss_init_sec_context // init gss context using credentials from cache

As I mentioned above, this scheme works fine with one user, but fails on gss_acquire_cred if I do store several credentials using krb5_cc_store_cred.
As far as I can understand, the simplest solution could be the separate credentials cache for each user, i.e. call krb5_cc_resolve("cache_name_based_on_user_name")->krb5_cc_initialize->krb5_cc_store_cred (or something like that) before every gss_acquire_cred->gss_init_sec_context.
But it is a little bit heavy way which i prefer to use latter case. Is there a way to make MIT KRB library manage these caches based on user's principal?

Thanks in advance!

Best wishes,
Michael.



More information about the Kerberos mailing list