[30815] in Kerberos
Re: WS-Security and GSS-API: How do I get the session key?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Mar 6 14:28:23 2009
Message-ID: <49B17944.4060701@anl.gov>
Date: Fri, 06 Mar 2009 13:28:04 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: weijun.wang@sun.com
In-Reply-To: <e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
weijun.wang@sun.com wrote:
> Hi Luke
>
> On Feb 24, 9:36 pm, Luke Howard <lu...@padl.com> wrote:
>>> I don't recall offhand if there's been an IETF draft proposing the
>>> specific extension we've got for extracting the session key.
>
>> major = gss_inquire_sec_context_by_oid(&minor,
>> ctx,
>> GSS_C_INQ_SSPI_SESSION_KEY,
>> &skey);
>
> Cool, we (Java SE Team at Sun) are also preparing to add a new method
> getSessionKey() to OpenJDK's JGSS-API for Java EE needs.
>
> BTW, I read the krb5-1.7 codes and notice you're supporting some other
> OIDs for this new function:
>
> KRB5_GET_TKT_FLAGS
> KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
Please add at least the above, as it would let the caller get the
Microsoft PAC from the Kerberos ticket if the KDC was Microsoft AD.
The PAC Contains user and group SSIDs and other info from AD.
Original W2000:
http://msdn.microsoft.com/en-us/library/aa302203.aspx
More upto ddate info:
http://technet.microsoft.com/en-us/library/cc733967.aspx
http://msdn.microsoft.com/en-us/library/cc237917(PROT.10).aspx
Google for site:microsoft.com ms-pac
Would be useful in a Samba environment which can also add a PAC.
> KRB5_EXPORT_LUCID_SEC_CONTEXT
> KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
>
> I wonder how widely they are required and whether we should also
> support them. Can you give me some background info?
>
> Thanks
> Weijun
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
