[19791] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Multiple KDC's realm heuristic for KRB5CCNAME=DIR:/tmp/mydir/

daemon@ATHENA.MIT.EDU (Martin Gee)
Thu Jul 26 11:54:34 2018

Date: Thu, 26 Jul 2018 15:54:16 +0000 (UTC)
From: Martin Gee <geemang_2000@yahoo.com>
To: Greg Hudson <ghudson@mit.edu>, "krbdev@mit.edu" <krbdev@mit.edu>
Message-ID: <1972888049.2813017.1532620456083@mail.yahoo.com>
In-Reply-To: <1948374132.2411928.1532551538371@mail.yahoo.com>
MIME-Version: 1.0
Reply-To: Martin Gee <geemang_2000@yahoo.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Greg, I have something working :)  I had to set both KRB5_KTNAME and KRB5_CLIENT_KTNAME to my desired keytab file.  
Can you plz help me confirm my understanding of why both env variables are necessary?

e.g. where t_getImpSecurityToken does what t_s4u w/ ccache creation
        setenv("KRB5CCNAME", "/tmp/krb5cc_v_icsynergy_net", 1);        setenv("KRB5_KTNAME", "/opt/development/spgw/spgw-gssapi/GSSAPIMemory/spgateway_icsynergy_net.keytab", 1);        setenv("KRB5_CLIENT_KTNAME", "/opt/development/spgw/spgw-gssapi/GSSAPIMemory/spgateway_icsynergy_net.keytab", 1);        const char* service_name = "host/gw.icsynergy.info@ICSYNERGY.NET";        const char* user_name = "tuser1@ICSYNERGY.NET";        const char* host_name =  "HTTP@ics-dc-1.icsynergy.net";        t_getImpSecurityToken(service_name, user_name,  host_name);
KRB_KTNAME is logged:[2606] 1532615727.367867: Retrieving host/gw.icsynergy.info@ICSYNERGY.NET from FILE:/opt/development/spgw/spgw-gssapi/GSSAPIMemory/spgateway_icsynergy_net.keytab (vno 0, enctype 0) with result: 0/Success

KRB5_CLIENT_KTNAME is logged:
[4694] 1532615787.103586: Retrieving host/gw.icsynergy.info@ICSYNERGY.NET from FILE:/opt/development/spgw/spgw-gssapi/GSSAPIMemory/spgateway_icsynergy_net.keytab (vno 0, enctype 0) with result: 0/Success
Here is my gss_acquire_cred (seems to be all rooted in this call):gss_acquire_cred(minor, gss_spn_name, GSS_C_INDEFINITE, &mechset_krb5, GSS_C_BOTH, &impersonator_cred, NULL, &time_rec);
GSS_C_BOTH - (acquire_cred.c) acquire_accept_cred uses KRB_KTNAME(acquire_cred.c) acquire_init_cred uses KRB5_CLIENT_KTNAME which overrides:
/etc/krb5.conf[libdefaults]
default_client_keytab_name = /etc/krb5.keytab

The main diff from t_s4u is; gss_spn_name (host/gw.icsynergy.info@ICSYNERGY.NET) is being used instead of GSS_C_NO_NAME

I'm assuming gss_spn_name + GSS_C_BOTH is exercising both env variables?







 

    On Wednesday, July 25, 2018 3:45 PM, Martin Gee <geemang_2000@yahoo.com> wrote:
 

 
krb5_gss_register_acceptor_identity("../file.keytab");
gss_acquire_cred(minor,                                gss_spn_name,                                GSS_C_INDEFINITE,                                &mechset_krb5,                                GSS_C_BOTH,                                &impersonator_cred,                                NULL,                                &time_rec);
gss_acquire_cred_impersonate_name(minor,                        impersonator_cred,                        gss_user_name,                        GSS_C_INDEFINITE,                        &mechset_krb5,                        GSS_C_INITIATE,                        &user_cred,                        NULL,                        &time_rec);
gss_init_sec_context(minor,                        user_cred,                                &ictx,                                gss_spn_name,                                &mech_krb5,                        GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,                                GSS_C_INDEFINITE,                                GSS_C_NO_CHANNEL_BINDINGS,                                &atok, NULL,                                &itok, NULL, NULL);
gss_accept_sec_context(minor,                        &actx,                        impersonator_cred,                        &itok,                        GSS_C_NO_CHANNEL_BINDINGS,                        &source_name,                        &mech,                        &atok, NULL, NULL,                        &delegated_cred);

 

    On Wednesday, July 25, 2018 3:23 PM, Greg Hudson <ghudson@mit.edu> wrote:
 

 On 07/25/2018 03:04 PM, Martin Gee wrote:
> I'd like to use the automatic ccache creation that 
> gss_acquire_cred_* does. gss_acquire_cred is failing with a custom 
> keytab location/name.

Have a look at:

http://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html#default-client-keytab

The client keytab is located separately from the server keytab.

> Seems gss_acquire_cred only works when /etc/krb5.keytab is present.

I wouldn't expect gss_acquire_cred() to use /etc/krb5.keytab unless one 
of the locators for the client keytab was explicitly set to point to it. 
  So this and the corresponding attempts to use /etc/krb5.keytab in the 
trace logs are confusing to me.  Precisely what GSS calls are being traced?

> I've tried these:
> export 
> KRB5_KTNAME=/opt/development/spgw/spgw-gssapi/GSSAPIMemory/spgateway_icsynergy_net.keytab
> setenv("KRB5_KTNAME", 
> "/opt/development/spgw/spgw-gssapi/GSSAPIMemory/spgateway_icsynergy_net.keytab", 
> 1)
> krb5_gss_register_acceptor_identity("/opt/development/spgw/spgw-gssapi/GSSAPIMemory/spgateway_icsynergy_net.keytab");

These all set the server keytab location.


   

   
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home help back first fref pref prev next nref lref last post