[3612] in Kerberos
Using Aklog with Kerberos 5.4.1 to get an AFS Token
daemon@ATHENA.MIT.EDU (Doug Engert)
Mon Jul 25 20:10:42 1994
Date: Mon, 25 Jul 94 08:54:01 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <TYTSO@MIT.EDU>
Cc: <AUTH-PILOT@ES.NET>, <KERBEROS@MIT.EDU>
In response to my note, Ted responed:
"... but it completely goes against the purpose of the krb425 library ---
again, the libkrb425 library allows a program which uses the krb4 API
to access the krb5 protocol."
But the changes I made do "use the krb4 API, to access the
krb5 protocol." In particular, the goal was to allow aklog which
was written for krb4, to use the krb5 protocol including the
krb5 credential cache to get a krb5 credential which
could then be converted to a AFS token, without using an krb4 files
such as the cache, or the krb.conf, with a minimum of krb4 code.
The krb425 get_cred routine is defined as:
krb_get_cred(service, instance, realm, c)
char *service;
char *instance;
char *realm;
CREDENTIALS *c;
and one of its function is to return a CREDENTIALS structure. This is a
krb4 structure, and the original code converts what it can from
the krb5_creds structure. I am under the impression, that
the encrypted parts of the ticket can not be converted, and that
the krb524 routine krb524_convert_creds_kdc was designed to
convert the ticket as well.
If the krb425 get_cred was designed to return a partial CREDENTIALS
or to have the CREDENTIALS ignored, then the code I add could be
referred to as abusing the krb425 library.
If the function of the krb425 get_cred was to return a fully
usable CREDENTIALS structure, then the code I added could be said
to fix a problem with the routine. I realize that one must be running
the krb524d daemon for this to work and that may be the cost to having
a fully usable CREDENTIALS structure.
Rather then changing the krb425 get_cred routine, I can just as easily
copy parts of it aklog instead, if you dont want to use the changes.
Even if you don't want to add the call to krb524_convert_creds_kdc
in get_cred, I would still like you to consider the other comments:
o passing of a null string as an instance to krb5_build_principal
o copying debug_decl.c and krb_err_txt.c to the krb425 library
o adding a krb_get_tf_realm routine.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
