Getting ticket from the KDC in C

Dean Dln constantinedalianis at gmail.com
Wed Jan 6 03:06:41 EST 2021 

Dear all,

I would like to ask for some tips on how to get a ticket from the Key
Distribution Center (KDC) using the MIT krb5 API in C/C++?

I already have a working Java Client which uses GSS-API to obtain a ticket
from the KDC (using a local TGT) and forwards it to a Java Server.

The server accepts the security context using the following logic:

private GSSContext acceptSecurityContext(Subject serverSubject, final
byte[] kerberosServiceTicket) {
 return Subject.doAs(serverSubject, (PrivilegedAction<GSSContext>) () -> {
            GSSContext gssContext;
            try {
                gssContext = manager.createContext((GSSCredential) null);
            } catch (GSSException ex) {
                LOGGER.warn("Could not create Kerberos gssContext: " +
ex.getMessage(), ex);
                return null;
            }
            try {
                gssContext.acceptSecContext(kerberosServiceTicket, 0,
kerberosServiceTicket.length);
            } catch (GSSException ex) {
                LOGGER.warn("Could not accept security context: " +
ex.getMessage(), ex);
                return null;
            }
            return gssContext;
        });
}

I am trying to implement a C client - similar to the Java one - using MIT
krb5 API and I can't seem to make it work. So far this is my C client code:

    krb5_context context;
    krb5_ccache ccache;
    krb5_creds *outCreds = NULL;
    krb5_creds inCreds;
    int retval;
    char *principal = "...";

    retval = krb5_init_secure_context(&context);
    ...

    retval = krb5_cc_default(context, &ccache);
    ...

    memset(&inCreds, 0, sizeof(inCreds));
    retval = krb5_parse_name(context, principal, &inCreds.server);
    ...

    retval = krb5_cc_get_principal(context, ccache, &inCreds.client);
    ...

    retval = krb5_get_credentials(context, 0, ccache, &inCreds, &outCreds);
    ...

    // also tried using the following: krb5Ticket->enc_part.ciphertext.data
    // (maybe this is the correct way, but I should somehow decrypt it and
use krb5Ticket->enc_part2 ?)
    // retval = krb5_decode_ticket(&outCreds->ticket, &krb5Ticket);
    // ...

    char *base64KerberosTicket = base64_encode(outCreds->ticket.data,
strlen(outCreds->ticket.data));

    char *response = loginKerberos(base64KerberosTicket);
    ...

Thank you in advance.

Best regards,
Dean

More information about the krbdev mailing list