tkt->client must be equal to in_cred->client
Nikhil Mishra
nikhilm at gs-lab.com
Tue Feb 24 12:56:00 EST 2009
Hi All ,
I have been working on developing client support for MS S4U
extensions in MIT kerberos .
There are couple of things that I think is worth putting forward and
then I will follow up my questions :
1. I am calling standard krb5_get_credentials() for doing a S4U2self .
Now , S4U2self requires three parameters .
1. TGT for process
2. Delegating SPN viz. service principal of the process .
3. Delegating UPN viz. Username/UPN on whose behalf
this request is done .
My understanding is in_cred parameter that is being passed to
krb5_get_credentials should ideally have client as delegating UPN,
server as Delegating SPN .
This will create two problems :
1. To retrieve TGT for the process , we need a client UPN in
krb5_get_cred_from_kdc_opt() .
This we can resolve by calling krb5_cc_get_principal() and
assigning it to client .
2. In krb5_get_cred_via_tkt() there is a strict checking
/* tkt->client must be equal to in_cred->client */
if (!krb5_principal_compare(context, tkt->client, in_cred->client))
return KRB5_PRINC_NOMATCH;
Why are we checking for this equality here ?
I am trying to push S4U feature in existing infrastructure and
that is why the issues .
Thanks & Regards
Nikhil
More information about the krbdev
mailing list