gss_accept_sec_context failing after getting service ticket using service name and password
Michael B Allen
mba2000 at ioplex.com
Fri May 26 23:06:06 EDT 2006
On Fri, 26 May 2006 01:25:39 -0500
Nicolas Williams <Nicolas.Williams at sun.com> wrote:
> > Is there a way
> > to convert from krb5_creds to gss_cred_id_t?
>
> No, there isn't.
>
> For Solaris Nevada we're looking at adding a mechanism-specific
> gss_acquire_cred_from_ccache() GSS-API extension.
At some point don't you just want to punt and use opaque types? Using an
import/export or inquire_by_oid kind of interface implies the result
can be represented in a serialized form which is somewhat annoying.
For example if you want to get a mechanism specific credential you could
have a function like:
void *gss_cred_to_mech_cred(gss_cred_id_t credential);
or for Java you might have:
Object GSSCredential.toMechCredential();
which would return a KerberosTicket:
KerberosTicket tkt = cred.toMechCredential();
And just to sanity check the conversion perhaps the routine should
take a mech OID. Or one could query the mech for a provider OID so they
can be certain to differentiate between types from different providers
(e.g. krb5_ticket as opposed to shishi_ticket).
Otherwise you risk overspecifying things IMHO.
Mike
More information about the krbdev
mailing list