[28648] in Kerberos
Re: question on gss_acquire_cred
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Nov 2 16:08:19 2007
Message-ID: <472B82B7.50108@anl.gov>
Date: Fri, 02 Nov 2007 15:04:07 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Priya Govindarajan <govindap@us.ibm.com>
In-Reply-To: <OF47FC7383.DD066351-ON87257387.0068BC43-88257387.0069F047@us.ibm.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Priya Govindarajan wrote:
> Hi,
>
> I am trying to understand how gss_acquire_cred works.
>
> When trying gss_server and gss_client - sample programs : When
> gss_server run as user root the gss_acquire_cred function executes without
> any errors. (The service principal key is added to the keytab file)
>
> When I execute gss_server as another other user I get the following error
> "server_acquire_creds: sample
> server_acquire_creds: calling gss_acquire_credGSS-API error acquiring
> credentials: Miscellaneous failure
> GSS-API error acquiring credentials: Permission denied"
>
> My understanding is gss_acquire_cred tries to get the default credential
> from credential cache.
No. With Kerberos gssapi, there are two types of credentials tickets in caches
and keytabs. The gss_acquire_cred can be called with gss_cred_usage:
GSS_C_INITIATE, GSS_C_ACCEPT or GSS_C_BOTH.
This sort of maps to use a ticket cache with gss_init and use a use keytab
for gss_accept (user-to-user is the exception.)
But your problem is most likely that the server is trying to use the default
keytab file that is readable only by root.
If you have a user owned keytab, you could set KRB5_KTNAME to point at it.
How does gss_server as user root is able to
> execute gss_acquire_cred function without any cred in credential cache.
It ues the keytab file for the machine.
> What is problem when executing gss_server as anyother user ?
>
> Thanks,
> Priya
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
