gss_krb5_import_cred

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

gss_krb5_import_cred

sorin.manolache
Hello,

Assuming that I've never acquired any credentials before calling

gss_krb5_import_cred(&minor, NULL /* ccache */, princ, keytab, &cred);

can this call acquire any credentials that I could use later for
gss_init_sec_context? It seems to me that no, but I would like a
confirmation.

Or, to put it differently, if all I have is a keytab file (i.e. I have
nothing in the caches, I have never called kinit, I have never called
gss_acquire_cred or gss_acquire_cred_by_password) is there a way to
acquire credentials only with that keytab file? (The keytab file is not
empty, obviously.)

Thank you in advance,
Sorin

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: gss_krb5_import_cred

Greg Hudson
On 10/01/2015 02:25 PM, [hidden email] wrote:
> gss_krb5_import_cred(&minor, NULL /* ccache */, princ, keytab, &cred);
>
> can this call acquire any credentials that I could use later for
> gss_init_sec_context? It seems to me that no, but I would like a
> confirmation.

No, you will only get acceptor creds this way.

> Or, to put it differently, if all I have is a keytab file (i.e. I have
> nothing in the caches, I have never called kinit, I have never called
> gss_acquire_cred or gss_acquire_cred_by_password) is there a way to
> acquire credentials only with that keytab file? (The keytab file is not
> empty, obviously.)

Yes, as of MIT krb5 1.11.  The basic outline is:

* Configure a client keytab name, typically using the KRB5_CLIENT_KTNAME
environment variable.

* Configure a ccache (with KRB5CCNAME or otherwise) that won't be
disturbed by a human.  Don't populate this cache manually.

* Call gss_acquire_cred() with usage GSS_C_INITIATE.  Ticket acquisition
and refreshes from the keytab will happen automatically behind the scenes.

As of 1.12, you can use gss_acquire_cred_from() to specify the client
keytab name and ccache name, if you want to do that programmatically
rather than through the program environment.

There is more at:

http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation

This is under-documented in the main documentation; the component
features are documented, but there ought to be a better "how to."
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: gss_krb5_import_cred

Sorin Manolache
On 2015-10-01 21:41, Greg Hudson wrote:

> On 10/01/2015 02:25 PM, [hidden email] wrote:
>> gss_krb5_import_cred(&minor, NULL /* ccache */, princ, keytab, &cred);
>>
>> can this call acquire any credentials that I could use later for
>> gss_init_sec_context? It seems to me that no, but I would like a
>> confirmation.
>
> No, you will only get acceptor creds this way.
>
>> Or, to put it differently, if all I have is a keytab file (i.e. I have
>> nothing in the caches, I have never called kinit, I have never called
>> gss_acquire_cred or gss_acquire_cred_by_password) is there a way to
>> acquire credentials only with that keytab file? (The keytab file is not
>> empty, obviously.)
>
> Yes, as of MIT krb5 1.11.  The basic outline is:
>
> * Configure a client keytab name, typically using the KRB5_CLIENT_KTNAME
> environment variable.
>
> * Configure a ccache (with KRB5CCNAME or otherwise) that won't be
> disturbed by a human.  Don't populate this cache manually.
>
> * Call gss_acquire_cred() with usage GSS_C_INITIATE.  Ticket acquisition
> and refreshes from the keytab will happen automatically behind the scenes.
>
> As of 1.12, you can use gss_acquire_cred_from() to specify the client
> keytab name and ccache name, if you want to do that programmatically
> rather than through the program environment.
>
> There is more at:
>
> http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
>
> This is under-documented in the main documentation; the component
> features are documented, but there ought to be a better "how to."


Thank you.

Sorin
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev