Using the MSLSA krb5_ccache type with a non-Microsoft KDC

Douglas E. Engert deengert at anl.gov
Sat Dec 20 08:01:50 EST 2003 


Jeffrey Altman wrote:
> 
> MIT kinit could pass use AcquireCredentialHandle but then the resulting
> credential handle
>  must be used instead of the Session ID when accessing the resulting
> cache.  That
> Credential Handle will not be available to other applications.
> 
> What I do not understand is what you would gain by MIT kinit obtaining
> an LSA credential.
> As you said, you currently use either the SSPI or gssapi32.dll.  If you
> are using the MIT
> kinit then you have gssapi32.dll and the appropriate credentials.  Or
> you have the
> krb5_32.dll depending on which method of obtaining the AFS tokens you
> wish to use.

Flexibility. Some users/sites don't want the MIT tools on the machine
at all. Some user/sites are using machines that are not in the realm
or domain and use computer which does not need a password to login.
Yet they need access to network resources like AFS. And then there are 
many that need what you describe below.

> 
> FYI: the aklog which will ship in the next KfW will support using krb5
> credentials to
> obtain afs tokens.
> 
> The primary requirement issue for AFS as I see it is the ability to use
> Kerberos 5 for
> integrated logon so that AFS tokens can be obtained prior to the
> establishment of the
> Logon Session.  This is necessary so that Profiles and Home Directories
> can be stored
> in AFS.  The problem we have at the moment with MIT Kerberos is that the
> existing
> credentials cache implementation is really not safe to use prior to
> Logon Session
> creation.  A single instance of the cache would have to run in SYSTEM
> account
> storing the credentials for all users of the machine.  The contents of
> the cache
> would then not be visible to the user after the Logon Session is
> established.
> I'm currently working on a replace credentials cache implementation to
> address
> this.

Great. 

> 
> Jeffrey Altman
> 
> Douglas E. Engert wrote:
> 
> >A personal workstation at home, to access AFS, or use kx509 for example.
> >The machine does not have to have a principal.
> >
> >The gssklog for example today, will use either the gssapi32.dll or
> >the SSPI. It uses LoadLibrary("gssapi32.dll"); So it can be run on a
> >system with or without the Kerberos package present.  It can get the
> >credentials via the gss_acquire_cred from Kerberos, or via the SSPI
> >AcquireCredentialsHandle or if needed use the SSPI
> >AcquireCredentialsHandle with the AuthIdentity.
> >
> >So for AFS purposes, it can look like the old klog, with a
> >user and password, or it can look like aklog where it uses the
> >available credentials either via Kerberos or Windows.
> >
> >What I am suggesting is that it might be possible to have kinit
> >(or leash) pass in a userid and password to the AcquireCredentialsHandle
> >via the AuthIdentity and get the first TGT. But I have not checked
> >if when the AuthIdentity is used, are the credentials available
> >to other applications.
> >
> >

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list