[39512] in Kerberos
Re: IAKERB Starter Credentials Solution
daemon@ATHENA.MIT.EDU (Michael B Allen)
Sat Apr 26 15:33:37 2025
MIME-Version: 1.0
In-Reply-To: <aA0Lm7Ln7IU3t22Z@ubby>
From: Michael B Allen <ioplex@gmail.com>
Date: Sat, 26 Apr 2025 15:33:10 -0400
Message-ID: <CAGMFw4imyZmEsWkX0KRqkHyPsCZiiKad1dDcP1hwNxzcFV4eRg@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Sat, Apr 26, 2025 at 12:36 PM Nico Williams <nico@cryptonector.com>
wrote:
> Rather than a callback I'd prefer to have a new major status code that
> indicates that the application must call a function to extract the
> prompts / supply answers, and this would use the partial security
> context handle to sequence things.
>
Yeah, when trying to do iakerb_gss_init_sec_context and there's no TGT (or
Ticket), then just returning an error is reasonable.
Applications would have to add new code to set a callback or catch an error
so neither way is going to be transparent.
But of course applications are not going to use the gss_acquire_cred_*
functions (and they probably should not).
When the user gets an error, they will have to use some utility that knows
to use gss_acquire_cred_with_password with IAKERB to some IAKERB-aware
service.
Then, with a TGT in their ccache, the application should now init IAKERB
successfully.
Correct?
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/ <http://www.ioplex.com/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
