PA Data and KLApi's

Prabhakaran vaidya prab at apple.com
Mon Jan 26 11:53:22 EST 2004


Hi,

I am using KLAcquireNewInitialTicketsWithPassword(..loginOptions....) 
currently. To keep the code changes to
minimum I tried the following and it seems to work. But I had to use 
the private  __KLLoginOptionsGetKerberos5Options
API. If I use krb* apis I had to deal with cache creation etc., where 
as the KL.. takes care of all these for me.
It seems natural to have the krb opts exposed for fully utilizing the 
underlying capabilities of krb apis when
the KL abstractions can't meet the needs.

.....
   opt = __KLLoginOptionsGetKerberos5Options(loginOptions);

     if (opt) {
         krb5_get_init_creds_opt_init( opt );
         pre_auth_types = KRB5_PADATA_ENC_TIMESTAMP;
         etypes = ENCTYPE_DES_CBC_CRC;

         krb5_get_init_creds_opt_set_etype_list(opt, &etypes, 1);
         krb5_get_init_creds_opt_set_preauth_list(opt, &pre_auth_types, 
1);
     }
.....
KLAcquireNewInitialTicketsWithPassword(..loginOptions....)
....

Let me know if this is not to be used and will switch to krb apis and 
do the cache management.

-prab

On Jan 21, 2004, at 4:29 AM, Sam Hartman wrote:

>>>>>> "Brian" == Brian  <brianboy at apple.com> writes:
>
>     Brian> I am doing pre-authentication with Kerberos. I have turned
>     Brian> preauthentication on the server for several accounts, On
>     Brian> the client side I notice there are two calls made to
>     Brian> Kerberos , The first call AS_REQ for a TGT and the KDC
>     Brian> replies with PA required and then then AS_REQ again with
>     Brian> PA_DATA
>
>
>     Brian> Is there a way to send PA data in the request the first
>     Brian> time itself
>
> Possibly.  As you point out the API calls do have parameters for this;
> you can pass in a set of padata types to use.
>
> But we recommend against doing this because it is fairly untested and
> because it will become less useful in the future as more padata types
> are added.  If you do try using these API calls and they don't work,
> please open bugs.
>
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev



More information about the krbdev mailing list