On credential cache separation between service ticket and TGT
Arpit Srivastava
arpit.orb at gmail.com
Wed Mar 19 10:48:57 EDT 2014
Thanks Greg
I am able to write a new krb5cc which contains only the service ticket.
But, the token hence generated by gss_init_sec_context using this
credential file when used for HTTP Negotiate gives 401 Unauthorized.
Do you see any possible catch here that might be causing this ?
Arpit
On Wed, Mar 5, 2014 at 10:12 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 03/05/2014 10:55 AM, Arpit Srivastava wrote:
> > That is the problem now. How to separate service tickets from the TGT so
> > as to copy it (only) to the different cache ? It would be great if you
> > can give some pointers.
>
> 1. Open the original ccache with krb5_cc_resolve.
> 2. Retrieve the service cred with krb5_cc_retrieve_cred.
> 3. Close the original ccache with krb5_cc_close.
> 4. Open the new ccache with krb5_cc_resolve.
> 5. Initialize the new ccache with krb5_cc_initialize.
> 6. Store the previously obtained cred with krb5_cc_store_cred.
> 7. Close the new ccache with krb5_cc_close.
> 8. Release the service cred with krb5_free_cred_contents.
>
> Documentation for these functions is at:
>
> http://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/index.html
>
> If you have to iterate over the source ccache to find the service ticket
> because krb5_cc_retrieve_cred won't work for you, use
> krb5_cc_start_seq_get, krb5_cc_next_cred, and krb5_cc_end_seq_get.
>
More information about the Kerberos
mailing list