[20172] in Kerberos_V5_Development
Re: without caching of initial krbtgt tickets
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Sep 28 18:49:44 2020
To: Sri <bskmohan@yahoo.com>, "krbdev@mit.edu" <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <d0479cbb-d650-e129-543b-a1fbf7b0631b@mit.edu>
Date: Mon, 28 Sep 2020 18:49:22 -0400
MIME-Version: 1.0
In-Reply-To: <683388465.1360736.1601328129203@mail.yahoo.com>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 9/28/20 5:22 PM, Sri wrote:
> krb5_get_init_creds_password(context, &my_creds, userPrinc, pwd, 0, 0, starttime, 0, optz);
> krb5_cc_initialize(,ccahe,..)
> krb5_cc_store_creds(,..ccache,...)
Side point, but it is generally better to use
krb5_get_init_creds_opt_set_out_ccache() so that appropriate ccache
config state can be written to the cache, rather than doing the
initialize and store operations yourself. It's unlikely to have much of
an impact on this use case, however.
> 1) Is there any libkrb5 API that does both sending AS-REQ/AS-REP and TGS-REQ/TGS-REP. No need to send AP-REQ/AP-REP.
No, but you can specify a service name to krb5_get_init_creds_password()
using the in_tkt_service parameter, and get tickets to the target
service with just an AS-REQ. This only works if the service is in the
same realm as the client; there is no such thing as a cross-realm AS
request.
> 2) Is it possible to invoke krb5_get_credentials() without caching the krbtgt tickets? I am trying to reuse the out_creds from krbt_get_init_creds_password() in krb5_get_credentials() but that failed with below trace:
No, but you can use a MEMORY ccache by calling krb5_cc_new_unique() with
type MEMORY, and destroy the ccache afterwards.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
