[2182] in Kerberos_V5_Development
Comments on Krb5-nt-alpha1 - With Gradient PC-DCE 2.0
daemon@ATHENA.MIT.EDU (Doug Engert)
Sat Jan 25 21:29:47 1997
Date: Sat, 25 Jan 1997 20:28:25 -0600
From: Doug Engert <deengert@anl.gov>
Reply-To: deengert@anl.gov
To: krbdev@MIT.EDU, pcdce@gradient.com
Cc: deengert@anl.gov, breton@gradient.com, agray@opengroup.org,
sanfilip@osf.org
I have both the MIT krb5-nt-alpha1 and the Gradient
PC-DCE for Windows NT/95 2.0 installed on on a Windows 95
machine.
I have been able to use the Credentials cache created by
the Gradient dce_login or the Windows login with the
MIT library if I copy the cache or manually edit the kerberos.ini
file to point at the cache created by DCE.
The attached modification to \lib\krb5\os\ccdefname.c will
cause the MIT library to look for the name of the cache in
the Windows registry where the Gradient code stores the name.
If the RegKRB5CCNAME is not define in the kerberos.ini file, or
If the current user has not done a dce_login, then the MIT
library will work as before.
To activate this code, add to the kerberos.ini file:
[Files]
RegKRB5CCNAME=Software\Gradient\DCE\Credentials\Default\KRB5CCANME
This may also work with the DEC version of DCE, but I have not
looked at it.
This is more of a proof of concept, that you can combine
K5 and DCE even on the PC. (PC-DCE does not get a forwardable ticket
by default and requires a DCE kinit -f to be run. Same anonyance
as on the the Unix systems.)
A much better fix in the long run would be for the DCE code
to set in the Windows registry HKEY_CURRENT_USER/environment
KRB5CCNAME variable, where both the MIT and Gradient code
could find it.
lib\krb5\os\ccdefname.c:
#if defined(_MSDOS) || defined(_WIN32)
{
char defname[160]; /* Default value */
!> /* If the RegCache variablle is set, it will point to the registry
key
!> * which has the name of the cache to use.
!> * The Gradient PCDCE sets
"HKEY_CURRENT_USER\Software\Gradient\DCE\Default\KRB5CCNAME"
!> * to point at the cache. We will get this and use it as the name.
!> * It includes the FILE: prefix.
!> * The DEC and/or the IBM versions might also set a registry
variable as well.
!> */
!> char newkey[256];
!>
!> LONG name_buf_size;
!> HKEY hkey;
!> DWORD ipType;
!> int found = 0;
!> char *cp;
!>
!>
!> GetPrivateProfileString(INI_FILES, "RegKRB5CCNAME", "",
!> newkey, sizeof(newkey), KERBEROS_INI);
!> if (strlen(newkey)) {
!> cp = strrchr(newkey,'\\');
!> if (cp) {
!> *cp = '\0'; /* split the string */
!> cp++;
!> } else
!> cp = "";
!> if (RegOpenKeyEx(HKEY_CURRENT_USER, newkey, 0,
!> KEY_QUERY_VALUE, &hkey) == ERROR_SUCCESS) {
!> name_buf_size = sizeof(name_buf);
!> if (RegQueryValueEx(hkey, cp, 0, &ipType,
!> name_buf, &name_buf_size) == ERROR_SUCCESS)
!> found = 1;
!> }
!> }
!> if(!(found)) {
GetWindowsDirectory (defname, sizeof(defname)-7);
strcat (defname, "\\krb5cc");
strcpy (name_buf, "FILE:");
GetPrivateProfileString(INI_FILES, INI_KRB_CCACHE,
defname,
name_buf+5, sizeof(name_buf)-5, KERBEROS_INI);
}
!> }
#else
(The above is from the output of the WinDiff program. If there is a
better way
to get a diff on Windows, point me at it.)
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
