Using tickets for several users

Douglas E. Engert deengert at anl.gov
Tue Dec 20 14:17:03 EST 2011 


On 12/20/2011 12:49 AM, Kupchuk, Mikhail wrote:
> Hello, guys!
>
> I need to do the following task:
> Authenticate in KDC (MS Domain Controller) using login/pass received from user (by HTTP, but it does not matter here), get ticket.
> Forward that ticket to another host (i request proxiable ticket, so that's ok) and use it in HTTP Negotiate authentication (libcurl + GSS API).
>
> Everything goes ok while I test the scheme using one user. But when I forward several users tickets to second host i face the problem that GSS/KRB library can't find stored user's credentials in credentials cache.
>

Look at the Apache module mod_auth_kerberos
  http://modauthkerb.sourceforge.net/



> Here is the simplified scheme that I use:
>
> "Entrance", auth host:
> // global section, executed only once
> krb5_init_context // init context
> krb5_cc_default // use default credentials cache
>
> // section being performed for each new user krb5_... // prepare principal and options krb5_get_init_creds_password // authenticate user in KDC and get a ticket custom_functions... // serialize and send credentials data to second, "working" host
>
> "Working" host:
> // global section, executed only once
> krb5_init_context //init context
> krb5_cc_resolve/krb5_cc_default // use default/specified credentials cache krb5_cc_initialize // initialize credentials cache
>
> // section being performed for each new user custom_functions... // get credentials data from "entrance" host and deserialize it krb5_cc_store_cred // store received credentials in cache gss_import_name // prepare principal gss_acquire_cred // get credentials from cache gss_init_sec_context // init gss context using credentials from cache
>
> As I mentioned above, this scheme works fine with one user, but fails on gss_acquire_cred if I do store several credentials using krb5_cc_store_cred.
> As far as I can understand, the simplest solution could be the separate credentials cache for each user, i.e. call krb5_cc_resolve("cache_name_based_on_user_name")->krb5_cc_initialize->krb5_cc_store_cred (or something like that) before every gss_acquire_cred->gss_init_sec_context.

Yes, you need to do something like this.

> But it is a little bit heavy way which i prefer to use latter case. Is there a way to make MIT KRB library manage these caches based on user's principal?
>
> Thanks in advance!
>
> Best wishes,
> Michael.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list