MSLSA krb5_ccache: please let me know if this is a bad idea
Jeffrey Altman
jaltman at columbia.edu
Wed Dec 17 15:41:14 EST 2003
Ticket 2049 <https://krbdev.mit.edu/rt/Ticket/Display.html?id=2049>
describes the
addition of a new krb5_ccache type, MSLSA, which provides read-only
access to the
Microsoft LSA Kerberos cache via the krb5_ccache api. This
implementation was
primarily meant for use by applications which desired ms2mit.exe
functionality
to reduce the large amount (800+ lines) of esoteric code which was
required to
obtain a TGT.
It is not possible to make the Microsoft LSA Kerberos cache writable but
it occurred
to me that it might be possible to fake it. So please tell me if this
is a horrible
idea. There is nothing I can do to implement the krb5_cc_initialize() or
krb5_cc_generate_new() functions so lets ignore them. However, for the
krb5_cc_store()
function we can attempt the following trick:
* obtain the service principal, flags and encryption type from the
creds to be stored
* instead of storing the cred, request the Kerberos LSA to obtain a
new cred using the extracted parameters
The end result will be that the MSLSA krb5_ccache will contain a service
ticket for the next time an application requests one. However, the
session key will be different in the stored ticket from the one which
was used by the application. Instead of returning KRB5_OK or
KRB5_CC_READONLY, I would suggest a new error code KRB5_CC_NEWCRED.
So what do you think?
Thanks
- Jeff
More information about the krbdev
mailing list