One more question WRT gssapi...

Jeffrey Altman jaltman at MIT.EDU
Tue Jul 26 18:02:39 EDT 2005 

Jiva:

Why don't you explain to us what you are attempting to accomplish?

Does one of your two endpoints represent an end-user?
Or are both of your endpoints services that represent machines?

When using GSSAPI Kerberos, the initiator of the authentication must
have an initial credential (aka a Ticket Granting Ticket) prior to
the call to gss_acquire_cred() or gss_init_context().  If the initiator
represents an end user, the user typically obtains a TGT either a login
or via a kinit call.  The user provides her principal name and a
password or smart card or another form of proof of identity and the
Kerberos KDC issues an initial TGT to the user.

If the initiator does not represent a user or is running as a detached
long term background process, the process may be given access to a
keytab containing the long term key for the initiators principal.  This
keytab is then used with a kinit call to obtain an initial TGT.

The TGT is used during the gss_init_context() call to obtain a Kerberos
service ticket for the service you are attempting to authenticate to.

Jeffrey Altman


Jiva DeVoe wrote:

> Aha!
> 
> Is this documented somewhere I can read up on it?  I clearly don't 
> understand the inner workings of this, and I'd like to.
> 
> 
> On Jul 26, 2005, at 5:17 PM, Nicolas Williams wrote:
> 
>> On Tue, Jul 26, 2005 at 05:04:07PM -0400, Jiva DeVoe wrote:
>>
>>> Hmm, my tests do not bare this out...
>>>
>>> Specifically, I find I MUST issue a kinit -t /etc/krb5.keytab  service/
>>> host at foo.com before attempting running my application which then does
>>> a gss_acquire_cred.
>>>
>>> Is this correct?
>>>
>>
>> For an initiator cred, yes.
>>
> 
> -- 
> Jiva DeVoe
> http://www.devoesquared.com
> PowerCard - Intuitive Project Management Software for Mac OS X
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2707 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050726/ecfc9a86/attachment.bin

More information about the krbdev mailing list