Kerberos Constrained Delegation and Credential Caching

Nebergall, Christopher cneberg at
Mon Mar 11 20:23:58 EDT 2013

Does anyone have any tips on copying the credentials created from Kerberos constrained delegation to a credentials cache file and back in again?   In the example krb5-1.10.3/src/tests/gssapi/t_s4u.c at near the end of contrainedDelegate function after the gss_init_sec_context tried to copy the delegated_cred_handle to a credentials cache.    I've NEVER seen the a service ticket for the end service make to the cache file so I'm not sure which cred cache I should be using.

I've tried 1) just using the default cache

2) with gss_store_cred with

memset(&elements_stored, 0, sizeof(elements_stored));
memset(&cred_usage_stored, 0, sizeof(cred_usage_stored));
major = gss_store_cred(&minor, delegated_cred_handle, GSS_C_BOTH, GSS_C_NULL_OID, 1, 1, &elements_stored, &cred_usage_stored);

3) or with gss_krb5_copy_ccache

Nothing shows a cached the service ticket.   I'm not even certain which prinicipal I should initialize the ccache with - the impersonator prinicipal, or the user principal name?

I've also tried various methods of reading the new cache back in and then re-running constrainedDelegate but I often get a "gss_init_sec_context: Matching credential not found"

My goal is to put this code into mod_auth_kerb with mod_proxy but I'm unclear how to make it not hit the KDC with every request if I can't get a credential's cache saved, and reloaded between requests.


More information about the Kerberos mailing list