KRB5 API and Panther

Mon Jan 26 15:47:39 EST 2004

I believe that krb5_get_in_tkt_with_password is the old, deprecated 
API.  As you observed, there is a new API 
krb5_get_init_creds_password which replaces it.

>The KRB5 API on OSX 10.3 Panther
>
>The call to get TGT
>
>krb5_get_in_tkt_with_password(context, .....,..
>   &my_creds, &ret_as_reply);
>
>
>  Does not honor starttime/ lifetime/ renewtime settings done with 
>the credentials option
>
>ex:
>
>krb5_creds           my_creds;
>
>...
>
>my_creds.times.starttime = now;
>my_creds.times.endtime = now + (10*60) ;
>  my_creds.times.renew_till =  now + (20*60) ;
>
>
>It works fine in Jaguar
>
>we  belive the bug is in
>
>   krb5int_populate_gic_opt   ( file gic_pwd.c)
>
>if (options&KDC_OPT_FORWARDABLE)
>         krb5_get_init_creds_opt_set_forwardable(opt, 1);
>     else krb5_get_init_creds_opt_set_forwardable(opt, 0);
>     if (options&KDC_OPT_PROXIABLE)
>         krb5_get_init_creds_opt_set_proxiable(opt, 1);
>
>it only sets the options for forwardable and proxiable but not for 
>lifetime etc
>
>
>A way to get around this is by using  ::
>krb5_get_init_creds_password()  call
>
>ex:
>...
>    krb5_get_init_creds_opt_set_tkt_life(&opt, 20*60);
>    krb5_get_init_creds_opt_set_renew_life(&opt, 0);
>    krb5_get_init_creds_opt_set_forwardable(&opt, 0);
>    krb5_get_init_creds_opt_set_proxiable(&opt, 0);
>    krb5_get_init_creds_opt_set_preauth_list(&opt,&PA_LIST,1);
>
>   ...
>   ec = krb5_get_init_creds_password(context,&my_creds, my_principal, password,
>	NULL, NULL, 0, cserver, &opt);
>
>...
>
>Works fine.
>
>
>Brian

--lxs
-- 
-----------------------------------------------------------------------------
Alexandra Ellwood                                               <lxs at mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--