Checking renewability of TGT programatically
Dmitri Pal
dpal at redhat.com
Thu May 2 17:37:23 EDT 2013
On 05/02/2013 01:34 PM, Russ Allbery wrote:
> Greg Hudson <ghudson at MIT.EDU> writes:
>> On 05/02/2013 09:51 AM, Arpit Srivastava wrote:
>>> I am using GSS API with Kerberos as underlying implementation. I am
>>> fetching a TGT from AD, and I need to check whether the ticket is is
>>> renewable or not either preferably using some GSS API method (or some
>>> native method).
>> If possible, I would suggest using the k5start program:
>> http://www.eyrie.org/~eagle/software/kstart/k5start.html
> In particular, the krenew program, included in that distribution, does
> something very similar to what you want to do. Even if it's not a perfect
> match, you could probably reuse quite a bit of code.
>
Alternatively you can point your client to GSS proxy and make it do all
the GSSAPI negotiation itself. If the ticket is not there or needs to be
renewed GSS proxy will do it on your behalf. The purpose of the project
is to provide an alternative to k5start that also provides GSSAPI
negotiation not allowing the actual application to have direct access to
the key material.
https://fedorahosted.org/gss-proxy/
If you need more information you can ping people on freenode #sssd or
#freeipa and they will connect you to the right expert.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the krbdev
mailing list