gss_accept_sec_context failing after getting service ticket usingservice name and password

Praveenkumar Sahukar psahukar at novell.com
Mon May 29 04:26:09 EDT 2006 

Hi,

Is it that you don't want to use "file based keytab" or the "keytab
mechanism" all together ? 

Thanks,
Praveen Kumar

>>> On Mon, May 29, 2006 at 11:23 AM, in message
<804b2cc0605282253s4ca4c454s1379fba8dc165c69 at mail.gmail.com>, "Gaurav
Gaba"
<gauravg77 at gmail.com> wrote: 
> Hi Paul,
> 
> Getting the keytab fle is not a problem for me. I can have the keytab
file,
> but I do not want to use it.
> 
> What I want though is that I should be able to get the service key
without
> the keytab file, by using only the service principal and its
password.
> 
> So, the basic problem I have is:
> "Is there a way to get the service key for a service without having
the
> keytab file?"
> I have the service principal and its password.
> If yes, what is the way to go?
> 
> Thanks and Regards,
> Gaurav G.
> 
> 
> On 5/28/06, Paul Moore <paul.moore at centrify.com> wrote:
>>
>>  Run the password through the string2key function, dump the result
into a
>> new keytab file and away you go.
>>
>>
>>  ----- Original Message-----
>> From:   Gaurav Gaba [mailto:gauravg77 at gmail.com
<gauravg77 at gmail.com>]
>> Sent:   Sat May 27 01:24:20 2006
>> To:     Jeffrey Hutzelman; krbdev at mit.edu
>> Subject:        Re: gss_accept_sec_context failing after getting
service
>> ticket usingservice name and password
>>
>> Hi Jeffrey,
>>
>> I got the point you are trying to make.
>>
>> The problem I have is that I want to do gss_accept_sec_context() but
I do
>> not have the keytab file. So, I do not have the service key with me.
What
>> I
>> have is the service principal and its password.
>>
>> How can I obtain the service key using the service principal and
its
>> password and then pass it on to gss_accept_sec_context call?
>>
>> Thanks,
>> Gaurav G.
>>
>>
>> On 5/26/06, Jeffrey Hutzelman <jhutz at cmu.edu> wrote:
>> >
>> >
>> >
>> > On Friday, May 26, 2006 12:46:02 PM +0530 Gaurav Gaba <
>> gauravg77 at gmail.com
>> > >
>> > wrote:
>> >
>> > > Hi Nicolas,
>> > >
>> > > No, I do not mean gss_init_sec_context().
>> > > I want to do gss_accept_sec_context() only.
>> > >
>> > > gss_accept_sec_context() requires gss_acquire_creds() for
getting the
>> > > service credentials from the keytab file. But I do not have the
keytab
>> > > file and I have got the service credentials using service name
and
>> > > password using krb5_get_credentials() call. Now I want
>> > > gss_accept_sec_context() to use these credentials instead of the
one
>> > from
>> > > keytab file.
>> > >
>> > > Am I trying something wrong here?
>> >
>> > Yes, because you're trying to mix GSS and Kerberos terminology.
>> > In Kerberos, "credentials" always refers to something a client has
to
>> > prove
>> > its identity to a server; that is, a ticket.
>> >
>> > In GSS, client credentials are tickets, but service credentials
are what
>> a
>> > service needs to accept contexts and prove its identity to a
client.
>> For
>> > the Kerberos mechanism, that's a service key, which is generally
stored
>> in
>> > a keytab.  You can't use client credentials; they don't contain
the
>> > long- term service key, which is what is needed to handle
incoming
>> > requests.
>> >
>> > With a couple of unfortunate exceptions, if you are using the GSS-
API,
>> you
>> > should not be making _any_ calls directly to the Kerberos
library.
>> >
>> > --  Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
>> >   Sr. Research Systems Programmer
>> >   School of Computer Science -  Research Computing Facility
>> >   Carnegie Mellon University -  Pittsburgh, PA
>> >
>> >
>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list