Kerberos tgt fowarding

Derrick Schommer dschommer at acopia.com
Tue Aug 24 15:57:45 EDT 2004 

Hello,
 
I'm trying to forward a kerberos TGT using the MIT api's, but I'm having
issues with the second_ticket field.  
 
What I want to do is obtain a service ticket (Kerberos 5 version 1.3.4)
and then obtain a forwarded/forwardable ticket so that I can "pass it
on" to the remote server.  However I either a) just don't have a clue or
b) have a few key things missing:
 
// Stripped down to the three major steps I'd think are needed...
// Already did a krb5_get_credentials, context, 0, credCache, &creds,
&serviceTkt);
 
krb5_fwd_tgt_creds( context, ctxAuth, 0, creds->client, creds->server,
                                credCache, 1, &pData );
 
creds->second_ticket = pTgt;  // Is this even close to being correct?
 
krb5_get_credentials( context, KRB5_GC_USER_USER,  credCache, &creds,
&new_creds ) ;
 
Unfortunately this last call returns to me KRB5_BADMSGTYPE, which I
believe its getting from the asn1 encode, as if the second_ticket "data"
doesn't have an AP_REQ header field in it (the data length is 1183 so
its not a null value).  I'd like to next call krb5_mk_req_extended to
build an AP-REQ to send to a CIFS service (in my cifs sessionSetup) but
I need to get the two tickets to become one so that I can send them to
the host.
 
I'm sure I'm missing some key data setup routines or something.  All the
examples I've found do a krb5_read_message() or something to grab the
second_ticket, but I think that my second_ticket should be the
"Forwarded/forwardable" ticket so I was using krb5_fwd_tgt_creds().  Any
ideas?  
 
Derrick 
  
--------------------------------------------------------
 
DISCLAIMER:   The information contained in this e-mail is confidential and is intended solely for the review of the named addressee, and in conjunction with specific Acopia Networks business.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you are unable to treat this information accordingly, or are not the intended recipient, please notify us immediately by returning the e-mail to the originator.

More information about the krbdev mailing list