jason.gerfen at scl.utah.edu
Fri Dec 3 10:31:21 EST 2004
My apologies. I am not writting a new pam module. I am modifying the
existing pam_krb5 source to include some support for automatic
generation of user accounts via ldap to eliminate the need for smb, or
nfs. I realize there is an existing ldap pam module but that is not
what I would like to use. Too much time to look up the accounts &
permissions in ldap for any service or application. So I am adding a
simple routine to check for a local account, look in ldap for a user
(after a call to the krb5_get_init_creds_password()). If user is found
it will gernerate the account using the ldap data, then finish the
uid/gid check & ticket verification process. As of now everything
regarding the account creation is working except for the ticket
verification. The existing module is using the krb5_verify_init_creds()
call which must not have the appropriate tiple pointer being passed to
it which is making the system crash.
I hope this background gives you some insight into what I am trying to
accomplish. Since I am very new to using Kerberos ( two months ), I
have been spending alot of time researching but due to the small amounts
of documentation, minus examing the source code, I need to understand
what data the krb5_verify_init_creds() call requires to check for any
clock skew information being passed back from the server as well as a
good understanding of how the ticket verification process should proceed
to ensure the kerberos libraries are being used correctly.
Again, my apologies for not fully understanding the Kerberos libraries,
and what calls would be appropriate for each situation.
As for my question at hand, since I would not need to use the
krb5_rd_cred() call in this instace, I am assuming the
krb5_verify_init_creds() is appropriate.
Here is the function and the arguments required. I have commented which
arguments I have questions on to clarify use of this call: (if you
could give me the function to call prior to each of the questioned
arguments that would help as well)
krb5_verify_init_creds( krb5_context context,
*creds, // Is this the principal?
krb5tgt/krb5principal at krb5realm.com
server_arg, // I am assuming the kdc list of IP or hostnames?
keytab_arg, // is the keytab the handle?
// I have no clue on this argument
); // this is returned from the krb5_verify_init_creds_opt_init() call
Again thanks in advance for your insight and expertise.
Sam Hartman wrote:
>>>>>>"Jason" == Jason Gerfen <jason.gerfen at scl.utah.edu> writes:
> Jason> Could someone point me to some documentation on this
> Jason> function so I can ensure I am calling it correcly?
>Are you still writing a PAM module? IF so, you do not need or want
>I suggest that you get in a habit of explaining what you're trying to
>accomplish as well as how you are trying to accomplish. You are
>mostly doing the second, but without understanding why you are calling
>the functions you choose to call it is hard to help you.
>You need a remote hostname or service principal to usefully call
jason.gerfen at scl.utah.edu
"And remember... If the ladies
don't find you handsome, they
should at least find you handy..."
~The Red Green show
More information about the krbdev