Service Ticket Questions

Ken Hornstein kenh at
Thu Mar 16 12:13:22 EST 2006

>Is it as simple as this (Sam's suggestion)?
>/* krb5_get_init_creds_password already done. */
>krb5_get_credentials(ctx, x, ccache, x, &creds);
>/* Do other stuff. */
>if (other stuff worked)
>	krb5_cc_store_cred(ctx, ccache, &creds)

No.  krb5_get_credentials already stores the credentials in the cache
for you (if you look at the aklog souce, for example, it never calls
krb5_cc_store_cred()).  The "old" API had a function called
krb5_get_cred_via_tkt() which doesn't take a ccache, but it's now
marked under an #ifdef KRB5_PRIVATE, and I don't know if that symbol is
exported under MacOS X.  That was why I said, "I don't think you can do
it with the functions available in the public API".  (I am assuming
that cred_via_tkt() did what you want, but maybe it didn't ... it looks
like get_cred_from_kdc() maybe is closer to what you really wanted --
but it's also marked as private).

>Presuming this is right, the next question is if I can do all the  
>"other stuff" without having the creds in a ccache.  If not, then  
>what calls do I use to copy ccache entries (Ken's suggestion)?

There is the function krb5_cc_copy_creds().  Actually, that should make
it really easy now that I think about it.  You can do this:

	create memory cache
	krb5_cc_copy_creds() from Mac cache into memory cache.
	get afs service ticket, try getting token
	if successful, clear mac cache (krb5_cc_initialize) and use
	krb5_cc_copy_creds() to copy everything back.

Should be a small amount of code.


More information about the krbdev mailing list