Need help: How to use different caches for TGT and TGS.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Need help: How to use different caches for TGT and TGS.

Santosh Kumar
HI everyone,

seeking your help for below:

Have default TGT in default cache location /tmp/krb5cc_36073 .

How to get TGS and store in different cache , but use TGT from default
cache location?
Like in heimdal has ./kgetcred -c /tmp/krb5cc_36073
--out-cache=/tmp/imper_cache --impersonate=[hidden email]
[hidden email]

where in kvno.c  can i modify to request different cache location for TGS.


In below all the tickets are in same location:

santoshkj$ ./klist -a -f
Ticket cache: FILE:/tmp/krb5cc_36073
Default principal: host/[hidden email]

Valid starting     Expires            Service principal
12/11/18 16:40:20  12/12/18 02:40:20  krbtgt/[hidden email]
        renew until 12/18/18 16:40:20, Flags: FRIA
        Addresses: (none)
12/11/18 16:41:01  12/12/18 02:40:20  host/[hidden email]
        for client leema\@[hidden email], renew until 12/18/18
16:40:20, Flags: FRA
        Addresses: (none)
12/11/18 16:41:02  12/12/18 02:40:20  http/
[hidden email]
        for client leema\@[hidden email], renew until 12/18/18
16:40:20, Flags: FRA
        Addresses: (none)

Thanks
Santosh
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Need help: How to use different caches for TGT and TGS.

Greg Hudson
On 12/13/2018 12:00 AM, Santosh Kumar wrote:
> Have default TGT in default cache location /tmp/krb5cc_36073 .
>
> How to get TGS and store in different cache , but use TGT from default
> cache location?

MIT krb5 doesn't have an option for this in kvno.  You could of course
copy the ccache containing the TGT and point kvno at the copy, but if
the goal is to produce a ccache that doesn't contain the TGT, that's not
helpful.  You could alternatively use "kinit -S servicename" to bypass
getting a TGT entirely.

 From a code perspective, you can do what you want by passing
KRB5_GC_NO_STORE to krb5_get_credentials(), then explicitly resolving
the target ccache (krb5_cc_resolve()), initializing it with the client
principal (krb5_cc_initialize()), and storing the cred returned by
krb5_get_credentials().  That's what Heimdal's kgetcred does in
essence--it uses a fancier krb5_get_creds_opt interface to pass
KRB5_GC_NO_STORE, and MIT krb5 doesn't have that, but the option can
simply be passed in the flags parameter.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos