Jason Gerfen jason.gerfen at
Fri Dec 3 10:31:21 EST 2004

My apologies.  I am not writting a new pam module.  I am modifying the 
existing pam_krb5 source to include some support for automatic 
generation of user accounts via ldap to eliminate the need for smb, or 
nfs.  I realize there is an existing ldap pam module but that is not 
what I would like to use.  Too much time to look up the accounts & 
permissions in ldap for any service or application.  So I am adding a 
simple routine to check for a local account, look in ldap for a user 
(after a call to the krb5_get_init_creds_password()).  If user is found 
it will gernerate the account using the ldap data, then finish the 
uid/gid check & ticket verification process.  As of now everything 
regarding the account creation is working except for the ticket 
verification.  The existing module is using the krb5_verify_init_creds() 
call which must not have the appropriate tiple pointer being passed to 
it which is making the system crash.

I hope this background gives you some insight into what I am trying to 
accomplish.  Since I am very new to using Kerberos ( two months ), I 
have been spending alot of time researching but due to the small amounts 
of documentation, minus examing the source code, I need to understand 
what data the krb5_verify_init_creds() call requires to check for any 
clock skew information being passed back from the server as well as a 
good understanding of how the ticket verification process should proceed 
to ensure the kerberos libraries are being used correctly.

Again, my apologies for not fully understanding the Kerberos libraries, 
and what calls would be appropriate for each situation.

As for my question at hand, since I would not need to use the 
krb5_rd_cred() call in this instace, I am assuming the 
krb5_verify_init_creds() is appropriate.

Here is the function and the arguments required.  I have commented which 
arguments I have questions on to clarify use of this call:  (if you 
could give me the function to call prior to each of the questioned 
arguments that would help as well)

krb5_verify_init_creds( krb5_context context,
*creds,                         // Is this the principal? 
krb5tgt/krb5principal at
server_arg,             // I am assuming the kdc list of IP or hostnames?
keytab_arg,               // is the keytab the handle?
                                     krb5_ccache *ccache_arg,            
// I have no clue on this argument
                                     krb5_verify_init_creds_opt *options 
);  // this is returned from the krb5_verify_init_creds_opt_init() call 

Again thanks in advance for your insight and expertise.

Sam Hartman wrote:

>>>>>>"Jason" == Jason Gerfen <jason.gerfen at> writes:
>    Jason> Could someone point me to some documentation on this
>    Jason> function so I can ensure I am calling it correcly?
>Are you still writing a PAM module?  IF so, you do not need or want
>this function.
>I suggest that you get in a habit of explaining what you're trying to
>accomplish as well as how you are trying to accomplish.  You are
>mostly doing the second, but without understanding why you are calling
>the functions you choose to call it is hard to help you.
>You need a remote hostname or service principal to usefully call

Jason Gerfen
jason.gerfen at

"And remember... If the ladies
 don't find you handsome, they
 should at least find you handy..."
             ~The Red Green show

More information about the krbdev mailing list