[35870] in Kerberos
Re: On credential cache separation between service ticket and TGT
daemon@ATHENA.MIT.EDU (Arpit Srivastava)
Tue Mar 18 11:23:34 2014
MIME-Version: 1.0
In-Reply-To: <531753FE.4020302@mit.edu>
Date: Tue, 18 Mar 2014 20:51:21 +0530
Message-ID: <CAEvOXU4-1qUycY62DOcUfYfGcKW-_H+CNMPg81OEsezXA6eqUg@mail.gmail.com>
From: Arpit Srivastava <arpit.orb@gmail.com>
To: Greg Hudson <ghudson@mit.edu>, Russ Allbery <rra@stanford.edu>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thanks Greg and Russ,
I am trying to implement this logic. However, I am facing these problems:
1. Calling krb5_cc_initialize() fails with return value "-1765328190" which
is "Credentials cache permission incorrect". What could be the reason for
this error ?
Do I need to create a different context handle for handling another
crendetial ?
2. If my original cache is krb5cc_uid, then how to write another cache file
which shall contain service tickets. What I am doing right now is to set
env var KRB5CCNAME to a different path (and then storing
krb5cc_xyz containing service ticket there) and then setting it back to
original one.
Arpit
On Wed, Mar 5, 2014 at 10:12 PM, Greg Hudson <ghudson@mit.edu> wrote:
> On 03/05/2014 10:55 AM, Arpit Srivastava wrote:
> > That is the problem now. How to separate service tickets from the TGT so
> > as to copy it (only) to the different cache ? It would be great if you
> > can give some pointers.
>
> 1. Open the original ccache with krb5_cc_resolve.
> 2. Retrieve the service cred with krb5_cc_retrieve_cred.
> 3. Close the original ccache with krb5_cc_close.
> 4. Open the new ccache with krb5_cc_resolve.
> 5. Initialize the new ccache with krb5_cc_initialize.
> 6. Store the previously obtained cred with krb5_cc_store_cred.
> 7. Close the new ccache with krb5_cc_close.
> 8. Release the service cred with krb5_free_cred_contents.
>
> Documentation for these functions is at:
>
> http://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/index.html
>
> If you have to iterate over the source ccache to find the service ticket
> because krb5_cc_retrieve_cred won't work for you, use
> krb5_cc_start_seq_get, krb5_cc_next_cred, and krb5_cc_end_seq_get.
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
