On credential cache separation between service ticket and TGT
Arpit Srivastava
arpit.orb at gmail.com
Tue Mar 18 11:21:21 EDT 2014
Thanks Greg and Russ,
I am trying to implement this logic. However, I am facing these problems:
1. Calling krb5_cc_initialize() fails with return value "-1765328190" which
is "Credentials cache permission incorrect". What could be the reason for
this error ?
Do I need to create a different context handle for handling another
crendetial ?
2. If my original cache is krb5cc_uid, then how to write another cache file
which shall contain service tickets. What I am doing right now is to set
env var KRB5CCNAME to a different path (and then storing
krb5cc_xyz containing service ticket there) and then setting it back to
original one.
Arpit
On Wed, Mar 5, 2014 at 10:12 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 03/05/2014 10:55 AM, Arpit Srivastava wrote:
> > That is the problem now. How to separate service tickets from the TGT so
> > as to copy it (only) to the different cache ? It would be great if you
> > can give some pointers.
>
> 1. Open the original ccache with krb5_cc_resolve.
> 2. Retrieve the service cred with krb5_cc_retrieve_cred.
> 3. Close the original ccache with krb5_cc_close.
> 4. Open the new ccache with krb5_cc_resolve.
> 5. Initialize the new ccache with krb5_cc_initialize.
> 6. Store the previously obtained cred with krb5_cc_store_cred.
> 7. Close the new ccache with krb5_cc_close.
> 8. Release the service cred with krb5_free_cred_contents.
>
> Documentation for these functions is at:
>
> http://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/index.html
>
> If you have to iterate over the source ccache to find the service ticket
> because krb5_cc_retrieve_cred won't work for you, use
> krb5_cc_start_seq_get, krb5_cc_next_cred, and krb5_cc_end_seq_get.
>
More information about the Kerberos
mailing list