gss_accept_sec_context failing after getting service ticket usingservice name and password

Paul Moore paul.moore at centrify.com
Sat May 27 19:05:54 EDT 2006 

Run the password through the string2key function, dump the result into a new keytab file and away you go.

 -----Original Message-----
From: 	Gaurav Gaba [mailto:gauravg77 at gmail.com]
Sent:	Sat May 27 01:24:20 2006
To:	Jeffrey Hutzelman; krbdev at mit.edu
Subject:	Re: gss_accept_sec_context failing after getting service ticket usingservice name and password

Hi Jeffrey,

I got the point you are trying to make.

The problem I have is that I want to do gss_accept_sec_context() but I do
not have the keytab file. So, I do not have the service key with me. What I
have is the service principal and its password.

How can I obtain the service key using the service principal and its
password and then pass it on to gss_accept_sec_context call?

Thanks,
Gaurav G.


On 5/26/06, Jeffrey Hutzelman <jhutz at cmu.edu> wrote:
>
>
>
> On Friday, May 26, 2006 12:46:02 PM +0530 Gaurav Gaba <gauravg77 at gmail.com
> >
> wrote:
>
> > Hi Nicolas,
> >
> > No, I do not mean gss_init_sec_context().
> > I want to do gss_accept_sec_context() only.
> >
> > gss_accept_sec_context() requires gss_acquire_creds() for getting the
> > service credentials from the keytab file. But I do not have the keytab
> > file and I have got the service credentials using service name and
> > password using krb5_get_credentials() call. Now I want
> > gss_accept_sec_context() to use these credentials instead of the one
> from
> > keytab file.
> >
> > Am I trying something wrong here?
>
> Yes, because you're trying to mix GSS and Kerberos terminology.
> In Kerberos, "credentials" always refers to something a client has to
> prove
> its identity to a server; that is, a ticket.
>
> In GSS, client credentials are tickets, but service credentials are what a
> service needs to accept contexts and prove its identity to a client.  For
> the Kerberos mechanism, that's a service key, which is generally stored in
> a keytab.  You can't use client credentials; they don't contain the
> long-term service key, which is what is needed to handle incoming
> requests.
>
> With a couple of unfortunate exceptions, if you are using the GSS-API, you
> should not be making _any_ calls directly to the Kerberos library.
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
>   Sr. Research Systems Programmer
>   School of Computer Science - Research Computing Facility
>   Carnegie Mellon University - Pittsburgh, PA
>
>
_______________________________________________
krbdev mailing list             krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list