GSSAPI Question
Shirish Rai
srai at ironkey.com
Wed Nov 25 16:12:19 EST 2009
I am trying to get GSSAPI client working with a Java based GSSAPI server.
The underlying mechanism is of Kerberos. I first get a TGT and Service
Ticket via Kerberos and then try to start the GSSAPI. I need to explicitly
pass the credentials to be used. They cannot be the default user logged on
etc. However I keep getting the following error:
GSS-API error gss_krb5_acquire_cred: Unspecified GSS failure. Minor code
may pro
vide more information
GSS-API error gss_krb5_acquire_cred: No credentials cache found
I have looked at the code a bit and it seem GSS creates a new KRB context.
Is there a way to tell GSS to use an existing context and/or ccache. I tried
this with the gss_krb5_ccache_name API. But that did not change anything.
I guess there must be a way to only user GSSAPI as well. If that is the
correct way to go about his, is there an example I can look at.
Here is the relevant code:
Any help would be greatly appreciated.
Thanks.
Shirish.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
struct k5_data {
krb5_context ctx;
krb5_ccache cc;
krb5_principal me;
char* name;
};
int _tmain(int argc, _TCHAR* argv[])
{
struct k5_data k5;
memset(&k5, 0, sizeof(k5));
krb5_error_code code = 0;
krb5_creds my_creds;
krb5_get_init_creds_opt *options = NULL;
display_file = stdout;
cout << "Starting Program " << endl;
code = krb5_init_context(&k5.ctx);
if (code) {
com_err("GSSAPI", code, " while initializing library");
goto done;
}
cout << "done context" << endl;
code = krb5_cc_default(k5.ctx, &k5.cc);
if (code) {
com_err("GSSAPI", code, " while initializing cache");
goto done;
}
const char* cache_name = krb5_cc_get_name(k5.ctx, k5.cc);
cout << "The name of default cache is " << cache_name << endl;
cout << "done cc cache" << endl;
code = krb5_parse_name(k5.ctx, USER_PRINCIPAL, &k5.me);
if (code) {
com_err("GSSAPI", code, " while parsing principal");
goto done;
}
cout << "done parse name" << endl;
code = krb5_get_init_creds_opt_alloc(k5.ctx, &options);
if (code) {
com_err("GSSAPI", code, " while allocating options");
goto done;
}
cout << "done alloc of options" << endl;
code = krb5_get_init_creds_password(k5.ctx, &my_creds, k5.me,
"Secret00",
NULL, NULL, 0, SERVICE_PRINCIPAL, NULL);
if (code) {
com_err("GSSAPI", code, " while init_creds_password");
goto done;
}
cout << "Got service ticket" << endl;
cout << "Establishing GSS context " << endl;
OM_uint32 min_stat;
const char* out_name;
OM_uint32 maj_stat = gss_krb5_ccache_name(&min_stat, cache_name,
&out_name);
if (maj_stat != GSS_S_COMPLETE) {
display_status("gss_krb5_ccache_name", maj_stat, min_stat);
}
gss_name_t desired_name;
gss_cred_id_t cred;
gss_buffer_desc name_tok;
name_tok.value = USER_PRINCIPAL;
name_tok.length = strlen(USER_PRINCIPAL);
memset(&cred, 0, sizeof(cred));
maj_stat = gss_import_name(&min_stat, &name_tok,
(gss_OID) gss_nt_service_name,
&desired_name);
if (maj_stat != GSS_S_COMPLETE) {
display_status("parsing name", maj_stat, min_stat);
goto done;
}
maj_stat = gss_acquire_cred(&min_stat, desired_name, GSS_C_INDEFINITE,
GSS_C_NULL_OID_SET, GSS_C_INITIATE, &cred, NULL, NULL);
if (maj_stat != GSS_S_COMPLETE) {
display_status("gss_krb5_acquire_cred", maj_stat, min_stat);
goto done;
}
[snip]
.
.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5093 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20091125/85c1ca68/attachment.bin
More information about the krbdev
mailing list