Storing delegated credentials

Hugh Cole-Baker sigmaris at gmail.com
Wed Sep 10 13:44:32 EDT 2014 

I posted this on the newsgroup via Google groups a few days ago but it
doesn't seem to have made it to the mailing list, might have been flagged
as spam. I'll resend it here:

I have an application that's a web based 'frontend' to perform some admin
tasks on an LDAP server. Users authenticate to the application using HTTP
Negotiate authentication, and they delegate their Kerberos credentials to
the application. This part all works fine, I can get the delegated
credential from gss_accept_sec_context and use it.

The next part is giving me trouble. I want to use the delegated credential
in the same application to authenticate to an LDAP server using SASL GSSAPI
authentication. The LDAP library I'm using, python-ldap, doesn't have any
option to pass a specific GSSAPI credential to use for authentication, so I
can't pass in the delegated credential handle. So I had the idea of
fork()ing the process, setting a different KRB5CCNAME in the child process
environment, storing the delegated credential in there with gss_store_cred
and then calling the LDAP library.

The problem is, when I set KRB5CCNAME to a nonexistent file, or a new empty
file in /tmp, I get an error from gss_store_cred that the cache doesn't
exist or has a bad format. I then tried copying a valid cache to a new file
in /tmp and then setting the KRB5CCNAME to that file, and then
gss_store_cred was able to store the delegated credential into the existing
ccache, but it isn't setting it as the default principal. When I list the
contents of the ccache, I can see:

Ticket cache: FILE:/tmp/newccache
Default principal: HTTP/my.app.server at MY.REALM

Valid starting    Expires           Service principal
06/09/2014 02:23  06/09/2014 12:23  krbtgt/MY.REALM at MY.REALM
06/09/2014 07:52  06/09/2014 17:51  krbtgt/MY.REALM at MY.REALM
        for client hugh at MY.REALM

HTTP/my.app.server at MY.REALM is the app server, and it obtains a TGT using
its keytab and k5start when it runs. That's the first TGT, the second TGT
for hugh at MY.REALM is the one stored by gss_store_cred. What I'd like is to
get the delegated credential to be the default principal in the ccache, so
that the LDAP library uses it.

I am calling gss_store_cred with the overwrite and default arguments set to
1, which I thought would make the stored credential the default principal
in the ccache. Am I going about this using the wrong approach? Using MIT
Kerberos 1.10 on Linux (Ubuntu 12.04). Thanks!

More information about the Kerberos mailing list