getting a service ticket

Alexandra Ellwood lxs at MIT.EDU
Mon Nov 17 14:25:55 EST 2003

>On Nov 13, 2003, at 6:08 PM, Alexandra Ellwood wrote:
>>>I'm looking for hints on how to get a service ticket( tgt may not 
>>>exist ) and place it in a new CCache.
>>Look at the sources for kvno (src/clients/kvno/kvno.c in the 
>>krb5-1.3.1 sources) for sample code which gets a service ticket 
>>manually from a TGT.   Note that if you are on Mac OS X and trying 
>>to store a v4 service ticket you will need to call into the CCAPI 
>>rather than the tf_*() APIs.
>Thanks, this looks promising.
>>Note that service tickets are usually automatically acquired when 
>>you try to connect to a service.  Is there some reason you need to 
>>get a service ticket manually (that isn't already covered by some 
>>other utility such as kvno or aklog)?
>We're trying to solve the problem where our CUPS backend which runs 
>as root, can't access the users' credentials.  Our kludge for 
>authenticated printing under Jaguar didn't survive into Panther.  In 
>our new and improved kludge for Panther we're planning on getting 
>the service ticket while still in the users' space as a Printer 
>Dialog extension and writing this service ticket to /tmp.  Later in 
>the CUPS backend we're reading this service ticket from /tmp then 
>deleting the service ticket once the print job finishes.

If you are trying to store a v4 ticket to a ticket file, you will 
need to incorporate your own v4 ticket writing code.  KfM does not 
have the ability to write out v4 tickets to a file.  You can steal 
source code to do this from the krb4 implementation inside the krb5 
sources (src/lib/krb4 in the krb5-1.3.1 source tree).

If you are trying to store a v5 ticket, you can use the krb5_cc_*() 
functions to store tickets in a file.  Just use krb5_cc_resolve() 
with a file based cache name (eg: "FILE:/tmp/mytix").  In order to 
get the CCAPI-based ccache to read the tickets from, use 
krb5_init_context() and then krb5_cc_default() to get a krb5_ccache 
reference to the current system default cache.  Note that the system 
default is cached when you call krb5_init_context(), so don't use the 
same context every time or you won't pick up changes to the system 
default cache.

Given that krb4 is not-so-secure anymore, we strongly recommend using krb5.

Hope this helps,

Alexandra Ellwood                                               <lxs at>
MIT Information Systems                     

More information about the krbdev mailing list