Storing delegated credentials
Greg Hudson
ghudson at mit.edu
Thu Sep 11 11:21:14 EDT 2014
On 09/10/2014 01:44 PM, Hugh Cole-Baker wrote:
> What I'd like is to
> get the delegated credential to be the default principal in the ccache, so
> that the LDAP library uses it.
I agree that the current behavior (present since 1.8) is unhelpful, and
it's not consistent with other implementations of gss_store_creds. I
have filed a ticket for better ccache selection behavior from
gss_store_cred:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8010
I can't promise when we will implement the improved behavior, though.
> I am calling gss_store_cred with the overwrite and default arguments set to
> 1, which I thought would make the stored credential the default principal
> in the ccache. Am I going about this using the wrong approach? Using MIT
> Kerberos 1.10 on Linux (Ubuntu 12.04). Thanks!
Since 1.11 we have supported an extension gss_store_cred_into, which can
receive a ccache name via the cred_store argument. It is unfortunately
not documented in our main documentation, so I can only refer to the
project page:
http://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions
gss_store_cred_into does initialize the ccache if it is provided with a
ccache name, so its behavior is closer to what you want. However, since
you're using krb5 1.10, you may need to instead initialize the default
ccache yourself, which is inelegant and laborious (gss_display_name and
krb5_parse_name to get the principal, krb5_cc_default,
krb5_cc_initialize, krb5_cc_close).
There is also gss_krb5int_copy_ccache, an old extension, but it also
requires you to initialize the ccache. If you're already initializing
the ccache yourself, you can pass the initialized, open ccache handle to
this function instead of going through the more complicated gss_store_cred.
More information about the Kerberos
mailing list