[39069] in Kerberos
Re: Creating a principal using the kadmin C API
daemon@ATHENA.MIT.EDU (Chris Hecker)
Thu Apr 7 21:44:14 2022
From: "Chris Hecker" <checker@d6.com>
To: kerberos@mit.edu
Date: Fri, 08 Apr 2022 01:40:38 +0000
Message-ID: <em2eb97aee-65f3-4bd1-a6f7-758920103c10@checker-blade15>
In-Reply-To: <CAD-Ua_ifa=vo4PEzy3kx-5FB3J+hhN_2BTuS7O=E+hfudRbV4Q@mail.gmail.com>
MIME-Version: 1.0
Reply-To: Chris Hecker <checker@d6.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
I use the kadm5 api to create princs and change keys. I do this with a
memory keytab (well, I load a disk keytab while root, copy it to a
memory keytab, and then drop privs), but I assume it's using the default
system /etc/krb5.conf. I do have my krb5 client stuff build an
in-memory conf and I hacked an API in for using that because there
didn't used to be a way to do that, I think there is now, but I don't do
kadm5 stuff the same way.
I'm happy to post my code for making princs and randkeying if you'd
like.
Chris
------ Original Message ------
From: "Lars Francke" <lars.francke@gmail.com>
To: kerberos@mit.edu
Sent: 2022-04-07 13:19:50
Subject: Creating a principal using the kadmin C API
>Hi everyone,
>
>we're trying to create principals and keys using the kadmin C API.
>The normal API has some documentation[1] but unfortunately the kadmin API
>doesn't have any we could find.
>
>We tried to use kadm5_create_principal_3 and kadm5_randkey_principal_3 but
>we seem to be running into an issue. Ideally we'd like to call this
>function with a handle (+ context) with an in-memory krb5.conf but that
>does not seem to work so we create the files and refer to them in the
>profile but kadmin still seems to load (is this related to the
>"alt_profile"?) a file from a default location which means it'll use the
>wrong connection details.
>
>I am sorry for the vague description, it's been two weeks since we tried
>and I only now get around to writing it down. I'm happy to provide more
>details.
>
>In general though my question is whether there's a good way (maybe even an
>example and/or docs) to programatically create principals and keys using
>the kadmin API without resorting to calling kadmin and parsing stdout etc.
>
>Thank you very much for your help.
>
>Cheers,
>Lars
>
>[1] <https://web.mit.edu/kerberos/krb5-1.19/doc/appdev/refs/api/index.html>
>________________________________________________
>Kerberos mailing list Kerberos@mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
