gss_accept_sec_context failing after getting service ticket usingservice name and password

Gaurav Gaba gauravg77 at gmail.com
Mon May 29 04:46:23 EDT 2006 

Hi Praveen,

I do not want to use the file based keytab approach.

I want to get the service key at runtime using the service principal and its
password. I do not want service key to be stored in a keytab file or the
need to move keytab file across the network.

Also, is there a way by which I can do away with the keytab mechanism all
together?

Thanks and Regards,
Gaurav G.


On 5/29/06, Praveenkumar Sahukar <psahukar at novell.com> wrote:
>
> Hi,
>
> Is it that you don't want to use "file based keytab" or the "keytab
> mechanism" all together ?
>
> Thanks,
> Praveen Kumar
>
> >>> On Mon, May 29, 2006 at 11:23 AM, in message
> <804b2cc0605282253s4ca4c454s1379fba8dc165c69 at mail.gmail.com>, "Gaurav
> Gaba"
> <gauravg77 at gmail.com> wrote:
> > Hi Paul,
> >
> > Getting the keytab fle is not a problem for me. I can have the keytab
> file,
> > but I do not want to use it.
> >
> > What I want though is that I should be able to get the service key
> without
> > the keytab file, by using only the service principal and its
> password.
> >
> > So, the basic problem I have is:
> > "Is there a way to get the service key for a service without having
> the
> > keytab file?"
> > I have the service principal and its password.
> > If yes, what is the way to go?
> >
> > Thanks and Regards,
> > Gaurav G.
> >
> >
> > On 5/28/06, Paul Moore <paul.moore at centrify.com> wrote:
> >>
> >>  Run the password through the string2key function, dump the result
> into a
> >> new keytab file and away you go.
> >>
> >>
> >>  ----- Original Message-----
> >> From:   Gaurav Gaba [mailto:gauravg77 at gmail.com
> <gauravg77 at gmail.com>]
> >> Sent:   Sat May 27 01:24:20 2006
> >> To:     Jeffrey Hutzelman; krbdev at mit.edu
> >> Subject:        Re: gss_accept_sec_context failing after getting
> service
> >> ticket usingservice name and password
> >>
> >> Hi Jeffrey,
> >>
> >> I got the point you are trying to make.
> >>
> >> The problem I have is that I want to do gss_accept_sec_context() but
> I do
> >> not have the keytab file. So, I do not have the service key with me.
> What
> >> I
> >> have is the service principal and its password.
> >>
> >> How can I obtain the service key using the service principal and
> its
> >> password and then pass it on to gss_accept_sec_context call?
> >>
> >> Thanks,
> >> Gaurav G.
> >>
> >>
> >> On 5/26/06, Jeffrey Hutzelman <jhutz at cmu.edu> wrote:
> >> >
> >> >
> >> >
> >> > On Friday, May 26, 2006 12:46:02 PM +0530 Gaurav Gaba <
> >> gauravg77 at gmail.com
> >> > >
> >> > wrote:
> >> >
> >> > > Hi Nicolas,
> >> > >
> >> > > No, I do not mean gss_init_sec_context().
> >> > > I want to do gss_accept_sec_context() only.
> >> > >
> >> > > gss_accept_sec_context() requires gss_acquire_creds() for
> getting the
> >> > > service credentials from the keytab file. But I do not have the
> keytab
> >> > > file and I have got the service credentials using service name
> and
> >> > > password using krb5_get_credentials() call. Now I want
> >> > > gss_accept_sec_context() to use these credentials instead of the
> one
> >> > from
> >> > > keytab file.
> >> > >
> >> > > Am I trying something wrong here?
> >> >
> >> > Yes, because you're trying to mix GSS and Kerberos terminology.
> >> > In Kerberos, "credentials" always refers to something a client has
> to
> >> > prove
> >> > its identity to a server; that is, a ticket.
> >> >
> >> > In GSS, client credentials are tickets, but service credentials
> are what
> >> a
> >> > service needs to accept contexts and prove its identity to a
> client.
> >> For
> >> > the Kerberos mechanism, that's a service key, which is generally
> stored
> >> in
> >> > a keytab.  You can't use client credentials; they don't contain
> the
> >> > long- term service key, which is what is needed to handle
> incoming
> >> > requests.
> >> >
> >> > With a couple of unfortunate exceptions, if you are using the GSS-
> API,
> >> you
> >> > should not be making _any_ calls directly to the Kerberos
> library.
> >> >
> >> > --  Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
> >> >   Sr. Research Systems Programmer
> >> >   School of Computer Science -  Research Computing Facility
> >> >   Carnegie Mellon University -  Pittsburgh, PA
> >> >
> >> >
> >> _______________________________________________
> >> krbdev mailing list             krbdev at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/krbdev
> >>
> >>
> > _______________________________________________
> > krbdev mailing list             krbdev at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

More information about the krbdev mailing list