gss_accept_sec_context failing after getting service ticket usingservice name and password

Gaurav Gaba gauravg77 at gmail.com
Mon May 29 01:53:16 EDT 2006 

Hi Paul,

Getting the keytab fle is not a problem for me. I can have the keytab file,
but I do not want to use it.

What I want though is that I should be able to get the service key without
the keytab file, by using only the service principal and its password.

So, the basic problem I have is:
"Is there a way to get the service key for a service without having the
keytab file?"
I have the service principal and its password.
If yes, what is the way to go?

Thanks and Regards,
Gaurav G.


On 5/28/06, Paul Moore <paul.moore at centrify.com> wrote:
>
>  Run the password through the string2key function, dump the result into a
> new keytab file and away you go.
>
>
>  -----Original Message-----
> From:   Gaurav Gaba [mailto:gauravg77 at gmail.com <gauravg77 at gmail.com>]
> Sent:   Sat May 27 01:24:20 2006
> To:     Jeffrey Hutzelman; krbdev at mit.edu
> Subject:        Re: gss_accept_sec_context failing after getting service
> ticket usingservice name and password
>
> Hi Jeffrey,
>
> I got the point you are trying to make.
>
> The problem I have is that I want to do gss_accept_sec_context() but I do
> not have the keytab file. So, I do not have the service key with me. What
> I
> have is the service principal and its password.
>
> How can I obtain the service key using the service principal and its
> password and then pass it on to gss_accept_sec_context call?
>
> Thanks,
> Gaurav G.
>
>
> On 5/26/06, Jeffrey Hutzelman <jhutz at cmu.edu> wrote:
> >
> >
> >
> > On Friday, May 26, 2006 12:46:02 PM +0530 Gaurav Gaba <
> gauravg77 at gmail.com
> > >
> > wrote:
> >
> > > Hi Nicolas,
> > >
> > > No, I do not mean gss_init_sec_context().
> > > I want to do gss_accept_sec_context() only.
> > >
> > > gss_accept_sec_context() requires gss_acquire_creds() for getting the
> > > service credentials from the keytab file. But I do not have the keytab
> > > file and I have got the service credentials using service name and
> > > password using krb5_get_credentials() call. Now I want
> > > gss_accept_sec_context() to use these credentials instead of the one
> > from
> > > keytab file.
> > >
> > > Am I trying something wrong here?
> >
> > Yes, because you're trying to mix GSS and Kerberos terminology.
> > In Kerberos, "credentials" always refers to something a client has to
> > prove
> > its identity to a server; that is, a ticket.
> >
> > In GSS, client credentials are tickets, but service credentials are what
> a
> > service needs to accept contexts and prove its identity to a client.
> For
> > the Kerberos mechanism, that's a service key, which is generally stored
> in
> > a keytab.  You can't use client credentials; they don't contain the
> > long-term service key, which is what is needed to handle incoming
> > requests.
> >
> > With a couple of unfortunate exceptions, if you are using the GSS-API,
> you
> > should not be making _any_ calls directly to the Kerberos library.
> >
> > -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
> >   Sr. Research Systems Programmer
> >   School of Computer Science - Research Computing Facility
> >   Carnegie Mellon University - Pittsburgh, PA
> >
> >
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

More information about the krbdev mailing list