how to achieve what kinit does programmatically?
Kent_Wu@trendmicro.com
Kent_Wu at trendmicro.com
Wed Jun 4 13:22:11 EDT 2003
Thx, K.C. You got it. Once I changed the krb5.conf location then it works.
Kent
-----Original Message-----
From: Kevin Coffman [mailto:kwc at citi.umich.edu]
Sent: Wednesday, June 04, 2003 5:50 AM
To: Kent Wu (RD-US)
Cc: Kevin Coffman
Subject: Re: how to achieve what kinit does programmatically?
HEre's a wild guess. You said you used the Solaris kinit. I believe
their krb5.conf file is in a different location than where the MIT code
expects it. The MIT code wants it in /etc/krb5.conf while I think
Solaris SEAM has it in /etc/kerberos/krb5.conf or something.
Just a guess.
K.C.
> Hi:
>
> While trying to use krb5_get_init_creds_password() to get the TGT, it always pops up the error message: "cannot resolve network address for KDC in requested realm getting initial ticket". The odd thing is I'm pretty sure my krb5.conf and DNS setting is correct since I can get the TGT thru Solaris tool "kinit".
>
> Since it's lack of documentation for this API I suspected maybe some parameter I passed in was wrong, this API's signature is like this:
>
> krb5_get_init_creds_password(krb5_context context,
> krb5_creds *creds,
> krb5_principal client,
> char *password,
> krb5_prompter_fct prompter,
> void *data,
> krb5_deltat start_time,
> char *in_tkt_service,
> krb5_get_init_creds_opt *options);
>
> the following is how I invoked it, here I already got the password so I don't need a prompter I guess, I also passed 0(NULL) to argument data, start_time, in_tkt_service and options based on the assumption that I either don't need them or can use the default value in krb5.conf.
>
> krb5_get_init_creds_password(context,
> &creds,
> princ,
> "mypasswd",
> 0,
> 0,
> 0,
> 0,
> 0);
>
> Did I miss something here thus causing the error message?
>
> Thx a lot, guys.
>
> Kent
>
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov]
> Sent: Tuesday, June 03, 2003 6:45 AM
> To: Kent Wu (RD-US); heimdal-discuss at sics.se; hotz at jpl.nasa.gov;
> hartmans at mit.edu; krbdev at mit.edu
> Subject: Re: how to achieve what kinit does programmatically?
>
>
>
>
> Kent_Wu at trendmicro.com wrote:
> >
> > I looked at the krb pam package but it looks like the function there would still prompt for user's passwd before it can get the TGT. The goal I want to achieve here is to do it without the prompt since I can get the user/passwd pair beforehand(thru proxy authorization maybe).
> >
> > So can krb5_get_init_creds_password() do the job without interaction? I've downloaded the MIT Kerberos package however it seems it doesn't have good documentation though. Does Heimdal provide better documentation?
> >
>
>
> The PAM exit I have seen, passes in "pass" as the password, as the PAM modules do the
> actually
> prompting. Here is a code snipit for the MIT kinit.c which pases in a password read from
> stdin.
> It calls krb5_get_init_creds_password. You can use it as an example.
>
> *** 776,783 ****
>
> switch (opts->action) {
> case INIT_PW:
> code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
> ! 0, kinit_prompter, 0,
> opts->starttime,
> opts->service_name,
> &options);
> --- 784,804 ----
>
> switch (opts->action) {
> case INIT_PW:
> + if (opts->pstdin) {
> + pstdin_pw_size = read(0,pstdin_pw,sizeof(pstdin_pw)-1);
> + if (pstdin_pw_size > 0) {
> + if (pstdin_pw[pstdin_pw_size-1] == '\n') {
> + pstdin_pw_size--;
> + }
> + pstdin_pw[pstdin_pw_size] = '\0';
> + } else {
> + pstdin_pw_size = 0;
> + }
> + }
> +
> code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
> ! (pstdin_pw_size > 0)? pstdin_pw: 0,
> ! kinit_prompter, 0,
> opts->starttime,
> opts->service_name,
> &options);
>
> > Thx.
> >
> > Kent
> >
> > -----Original Message-----
> > From: Douglas E. Engert [mailto:deengert at anl.gov]
> > Sent: Friday, May 30, 2003 7:13 AM
> > To: Kent Wu (RD-US); heimdal-discuss at sics.se
> > Cc: Henry B. Hotz
> > Subject: Re: how to achieve what kinit does programmatically?
> >
> > Another example of getting a TGT from a password would be one of the
> > many krb pam routines. Are you using the Solaris SEAM version of
> > Kerberos, if so look at the Sun documentation. You can also look at
> > the kinit source :-)
> >
> > "Henry B. Hotz" wrote:
> > >
> > > At 11:53 AM -0700 5/29/03, Kent_Wu at trendmicro.com wrote:
> > > >Hi:
> > > > I can use "kinit" to get a TGT from a win2000 KDC in my
> > > >Solaris machine and I also assume there must be Kerberos API's to
> > > >achieve the same thing programmatically in C. However I couldn't
> > > >find too much info on this. Could anyone kindly tell me the correct
> > > >way to do it?
> > > > Another odd thing is in my /usr/lib/krb5 folder I can find
> > > >some kerberos libraries which contains some API symbols like
> > > >krb5_init_context however I couldn't find any man page for this
> > > >function. Do I miss something here or I need to download separate
> > > >Kerberos library to do this?
> > >
> > > This question properly should go to an MIT Kerberos list, but I've
> > > been looking into it myself so here goes:
> > >
> > > OSX includes the latest MIT K5 release, however it does not include
> > > the man pages or documentation. What you need to do is go to the MIT
> > > site and download the latest source distribution. That will include,
> > > among other things, some TeX documentation which is pretty complete.
> > >
> > > Now is it accurate? I do know that it documents a
> > > get-tgt-with-password type function that exists, but is different
> > > from the function actually used by either NetBSD/Heimdal kinit or MIT
> > > kinit (which are different from each other as well). In other words
> > > just because MIT has more documentation than Heimdal doesn't mean
> > > it's better. |-(
> > >
> > > What I intend to do in my "copious free time" is try lifting code
> > > from the MIT kinit source and seeing if I can get that to work. I
> > > was not successful in getting the documented routine to work.
> > >
> > > I also looked at the GSSAPI documentation from Sun and it appears
> > > that that API assumes you already have a tgt (unless you're a
> > > server). I think SASL wraps GSSAPI so that wouldn't solve the
> > > problem either.
> > > --
> > > The opinions expressed in this message are mine,
> > > not those of Caltech, JPL, NASA, or the US Government.
> > > Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
> >
> > --
> >
> > Douglas E. Engert <DEEngert at anl.gov>
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
More information about the krbdev
mailing list