[38187] in Kerberos
Re: Different realms
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Fri Jan 26 07:55:59 2018
From: Robbie Harwood <rharwood@redhat.com>
To: Imanuel Greenfeld <imanuel.greenfeld1@ntlworld.com>, kerberos@mit.edu
In-Reply-To: <002401d392eb$bc0a5540$341effc0$@ntlworld.com>
Date: Fri, 26 Jan 2018 13:55:25 +0100
Message-ID: <jlgwp04ok3m.fsf@redhat.com>
MIME-Version: 1.0
Cc: "'Simo Sorce'" <simo@redhat.com>
Content-Type: multipart/mixed; boundary="===============0319787151689554207=="
Errors-To: kerberos-bounces@mit.edu
--===============0319787151689554207==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha512; protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
"Imanuel Greenfeld" <imanuel.greenfeld1@ntlworld.com> writes:
> I have 2 domains which there is no trust between them.
>
> I'm running a process on Domain 1. This needs to submit HTTP rest
> request to Domain 2 which the KDC is also on the same domain
> (i.e. domain 2).
What does "domain" mean here? Do you have two realms (A and B), with
two machines (machine_a in A, and machine_b in B), and two services
(service_a on machine_a, and service_b on machine_b)?
> I have keytab (for the service account on Domain 2) and kerb5.conf
> with the details of the two realms.
So if I understand correctly: on machine_b, you have a keytab for
service_b. And krb5.conf knows the KDCs and such for both A and B.
> I found a way to incorporate the keytab into the HTTP request in Java but
> not in C/C++.
I lose you here. It sounds like you're sending the keytab as part of
the HTTP request? I'm not overly familiar with the Java bindings, but
this isn't something one really wants to be doing in Kerberos.
> I know there are functions such as krb5_get_init_creds_keytab but I do
> not know how to achieve the same in C/C++ (as I did in Java). So when
> I have the keytab, how do I incorporate this to the HTTP header ?
You shouldn't be passing credentials around for security reasons, and
you shouldn't be putting thins of variable length in headers.
What is the actual, higher level thing you are trying to accomplish?
Thanks,
--Robbie
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlprJT0ACgkQJTL5F2qV
pEJTyBAAhh9BCyZ4RCzamhuoCUHHpp9h3lCEJgoEpdzSDSI6YO6vVtVB1AWsczx3
73TmCdrVc9Kw0uhJRqAh3lC3YEgRu+ZRaBv+l78cr00912mtHWBegPGrmCDbX4oD
sjRmqhfmGCaWGQJ4Unn2rJq/paec5TE2buUar9D/ssScmANnDHQI9rvUHAgFdFDx
mg3yolI3t9CwaN5BjAe/S9jjPHBDsuElVbOMPZn2MRewNeF5BdGv9CY4D/324dXm
mRZsf0kkHQh8p4O4mNOOY1TrZ2e8wj88RFssZDbzSTnNmj0WjREdxuzGR4l+pT5M
SO1e4ZqXGZD8BuujUrig21fK1SNaKQEJLbsj5NgcuNqQIPp9hvheZ1hDNqdZh7dT
emogIpoIuJvC+KY1Re2qaY3+3TdwrUnLSgxzmuW/gLzVI+IrWRdQubQx2KNmN+dO
B6LNWGNYMnAcTKmSluDnViSJN8DUBzlmCY+1dQChDPhbUgCAx54bcJ8SdJJXa1Jr
x4pP1j76vWLHyY0QnEySJVxB6QdnC/lr2v9xLUoFC2ZB5loaa48T6GSfc+1IfXho
lFfkj8Oi9IysReE/lfUMU4o8Jp31ka/C+0eIUbLo/xiFi19jHUXnkv83pcnsipBC
n4m0PV2bD8xJ9p7t72NkUqV7Vreqoh7S0LZAIOG5/Sf4V6omphw=
=Eo30
-----END PGP SIGNATURE-----
--=-=-=--
--===============0319787151689554207==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0319787151689554207==--
