[19790] in Kerberos_V5_Development
Re: Multiple KDC's realm heuristic for KRB5CCNAME=DIR:/tmp/mydir/
daemon@ATHENA.MIT.EDU (Martin Gee)
Wed Jul 25 16:45:59 2018
Date: Wed, 25 Jul 2018 20:45:38 +0000 (UTC)
From: Martin Gee <geemang_2000@yahoo.com>
To: Greg Hudson <ghudson@mit.edu>, "krbdev@mit.edu" <krbdev@mit.edu>
Message-ID: <1948374132.2411928.1532551538371@mail.yahoo.com>
In-Reply-To: <d7e47fb2-9df2-b93f-0380-add32e220768@mit.edu>
MIME-Version: 1.0
Reply-To: Martin Gee <geemang_2000@yahoo.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
krb5_gss_register_acceptor_identity("../file.keytab");
gss_acquire_cred(minor, gss_spn_name, GSS_C_INDEFINITE, &mechset_krb5, GSS_C_BOTH, &impersonator_cred, NULL, &time_rec);
gss_acquire_cred_impersonate_name(minor, impersonator_cred, gss_user_name, GSS_C_INDEFINITE, &mechset_krb5, GSS_C_INITIATE, &user_cred, NULL, &time_rec);
gss_init_sec_context(minor, user_cred, &ictx, gss_spn_name, &mech_krb5, GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, &atok, NULL, &itok, NULL, NULL);
gss_accept_sec_context(minor, &actx, impersonator_cred, &itok, GSS_C_NO_CHANNEL_BINDINGS, &source_name, &mech, &atok, NULL, NULL, &delegated_cred);
On Wednesday, July 25, 2018 3:23 PM, Greg Hudson <ghudson@mit.edu> wrote:
On 07/25/2018 03:04 PM, Martin Gee wrote:
> I'd like to use the automatic ccache creation that
> gss_acquire_cred_* does. gss_acquire_cred is failing with a custom
> keytab location/name.
Have a look at:
http://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html#default-client-keytab
The client keytab is located separately from the server keytab.
> Seems gss_acquire_cred only works when /etc/krb5.keytab is present.
I wouldn't expect gss_acquire_cred() to use /etc/krb5.keytab unless one
of the locators for the client keytab was explicitly set to point to it.
So this and the corresponding attempts to use /etc/krb5.keytab in the
trace logs are confusing to me. Precisely what GSS calls are being traced?
> I've tried these:
> export
> KRB5_KTNAME=/opt/development/spgw/spgw-gssapi/GSSAPIMemory/spgateway_icsynergy_net.keytab
> setenv("KRB5_KTNAME",
> "/opt/development/spgw/spgw-gssapi/GSSAPIMemory/spgateway_icsynergy_net.keytab",
> 1)
> krb5_gss_register_acceptor_identity("/opt/development/spgw/spgw-gssapi/GSSAPIMemory/spgateway_icsynergy_net.keytab");
These all set the server keytab location.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev