Service Ticket Questions
kenh at cmf.nrl.navy.mil
Thu Mar 16 12:13:22 EST 2006
>Is it as simple as this (Sam's suggestion)?
>/* krb5_get_init_creds_password already done. */
>krb5_get_credentials(ctx, x, ccache, x, &creds);
>/* Do other stuff. */
>if (other stuff worked)
> krb5_cc_store_cred(ctx, ccache, &creds)
No. krb5_get_credentials already stores the credentials in the cache
for you (if you look at the aklog souce, for example, it never calls
krb5_cc_store_cred()). The "old" API had a function called
krb5_get_cred_via_tkt() which doesn't take a ccache, but it's now
marked under an #ifdef KRB5_PRIVATE, and I don't know if that symbol is
exported under MacOS X. That was why I said, "I don't think you can do
it with the functions available in the public API". (I am assuming
that cred_via_tkt() did what you want, but maybe it didn't ... it looks
like get_cred_from_kdc() maybe is closer to what you really wanted --
but it's also marked as private).
>Presuming this is right, the next question is if I can do all the
>"other stuff" without having the creds in a ccache. If not, then
>what calls do I use to copy ccache entries (Ken's suggestion)?
There is the function krb5_cc_copy_creds(). Actually, that should make
it really easy now that I think about it. You can do this:
create memory cache
krb5_cc_copy_creds() from Mac cache into memory cache.
get afs service ticket, try getting token
if successful, clear mac cache (krb5_cc_initialize) and use
krb5_cc_copy_creds() to copy everything back.
Should be a small amount of code.
More information about the krbdev