Query, Need help for using GSSAPI client API using fetched tickets in cache.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Query, Need help for using GSSAPI client API using fetched tickets in cache.

Santosh Kumar
All,

 Request for help, i'm using gssapi client API to initiate sec context
using kerberos tickets in file cache.


1) import client principal

         //buffer.sprintf("leema\@[hidden email]");
//gss_buffer_desc gssBuffer = { buffer.len(), (void*)buffer.str() };

*         gss_import_name
(&m_minor,&gssBuffer,GSS_C_NT_USER_NAME,&m_gssUser);*


2)Import service principal

//gssBuffer -> [hidden email]

*gss_import_name(&m_minor,&gssBuffer,GSS_C_NT_HOSTBASED_SERVICE,&m_gssSvc);*


3)acquire client credential handle.

m_major = gss_acquire_cred(&m_minor, m_gssUser, GSS_C_INDEFINITE,
GSS_C_NO_OID_SET, GSS_C_INITIATE,&m_gssUserCred,&oidSet, &m_timeRec);


4) m_major =
gss_acquire_cred(&m_minor,m_gssSvc,GSS_C_INDEFINITE,g_oidSet,GSS_C_INITIATE,
&m_gssSvcCred, &oidSet, &m_timeRec);

5)m_major = gss_init_sec_context(&m_minor, m_gssUserCred, &m_gssContext,
m_gssSvc, &g_spnego_mechanism_desc,
flags,0,GSS_C_NO_CHANNEL_BINDINGS,&gssInput, NULL,&gssOutput,NULL, NULL);



In step 3) I'm getting GSS_S_CREDENTIALS_EXPIRED , the tickets lifetime is
valid.


Please note i'm migrating heimdal gssapi with MIT gssapi.    Do i need to
register plugin/call backs , to look for tickets?

tried replacing g_spnego_mechanism_desc, with GSS_C_NO_OID_SET, but didn't
work, what should i do?


Below is the Ticket cache: FILE:/tmp/krb5cc_36073

Default principal: host/[hidden email]

Service principals:

krbtgt/[hidden email]

host/[hidden email] for client leema\@
[hidden email]

http/[hidden email] for client leema\@
[hidden email]


Thanks

Santosh
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Query, Need help gssapi-client tool - Can't find client principal

Santosh Kumar
Dear all,

I'm struggling to use gss_acquire_cred, it's not able to find  the
principal , from  the kerberos FILE:/tmp/krb cache.

I'm looking at gss-client tool, for validating:

 gss-client  -port 443 -user [hidden email]  -ccount 1 -mcount 1
[hidden email]  http test

Facing:
GSS-API error acquiring creds: Unspecified GSS failure.  Minor code may
provide more information
GSS-API error acquiring creds: Can't find client principal
[hidden email] in cache collection

Below is the cache:
[admin@pxe-dev kinit]$ ../klist/klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: host/[hidden email]

Valid starting       Expires              Service principal
12/04/2018 10:48:04  12/04/2018 20:48:04  krbtgt/[hidden email]
        renew until 12/11/2018 10:48:04
12/04/2018 10:48:07  12/04/2018 20:48:04  host/
[hidden email]
        for client leema\@[hidden email], renew until 12/11/2018
10:48:04
12/04/2018 10:48:07  12/04/2018 20:48:04  http/
[hidden email]
        for client leema\@[hidden email], renew until 12/11/2018
10:48:04
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos