GSSAPI Question

[Shirish Rai]

Thanks Greg. You were right about needing to explicitly call 
krb5_cc_store_cred.

Things are still not working however and I have narrowed it down to Leash. It 
seem that the problem code is in ccdefault.c line 92 onwards. It tries to use 
leash (which apparently has its own cache). Here is the code:

#ifdef USE_LEASH
    if ( hLeashDLL == INVALID_HANDLE_VALUE ) {
        hLeashDLL = LoadLibrary(LEASH_DLL);
        if ( hLeashDLL != INVALID_HANDLE_VALUE ) {
            (FARPROC) pLeash_AcquireInitialTicketsIfNeeded =
            GetProcAddress(hLeashDLL, 
"not_an_API_Leash_AcquireInitialTicketsIfNeeded");
        }
    }

    if ( pLeash_AcquireInitialTicketsIfNeeded ) {
	char ccname[256]="";
        pLeash_AcquireInitialTicketsIfNeeded(context, NULL, ccname, 
sizeof(ccname));
	if (ccname[0]) {
            if (strcmp (krb5_cc_default_name (context),ccname) != 0) {
                krb5_cc_set_default_name (context, ccname);
            }
	}
    }
#endif

It tries to acquire initial tickets and times out. All I want is for it to 
execute the line after the endif. Is it possible to skip this code. I guess I 
have to recompile.

I am also having trouble compiling krb5-1.7 which fails with:

NMAKE : fatal error U1073: don't know how to make 'lib\gssapi\spnego\Makefile'

Thanks a lot for your help.

Shirish.


-----Original Message-----
From: Greg Hudson [mailto:ghudson at MIT.EDU]
Sent: Friday, November 27, 2009 2:49 PM
To: Shirish Rai
Cc: krbdev at mit.edu
Subject: Re: GSSAPI Question

On Wed, 2009-11-25 at 16:12 -0500, Shirish Rai wrote:
> I have looked at the code a bit and it seem GSS creates a new KRB context.
> Is there a way to tell GSS to use an existing context and/or ccache. I tried
> this with the gss_krb5_ccache_name API. But that did not change anything.

There's no way to make it use an existing context, but that should not
be necessary.  gss_krb5_ccache_name should make it use an existing
ccache.

> I guess there must be a way to only user GSSAPI as well. If that is the
> correct way to go about his, is there an example I can look at.

GSSAPI does not currently have a way to acquire initial credentials (in
current MIT krb5, at least; I believe there are extensions unde
consideration for the future).  So you have the right general approach.

I think what's tripping you up is that krb5_get_init_creds_password
doesn't store the resulting credential in a ccache.  You need to
explicitly store my_creds into the default ccache or into one you create
for this purpose.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5093 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20091201/c54d23fc/attachment.bin