>Thank you for your suggestions.

>Kevin

>________________________________________________
>Kerberos mailing list           Kerbe...@mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos

> I am trying to interface with our Windows 2000 server using Kerberos. I
> would like a client to obtain a credential handle for a given user with a
> supplied password.

> krb5_init_context
> krb5_cc_default
> krb5_parse_name (passing the principal name name@domain)
> krb5_unparse_name (because that is what kinit does)

> Then I call krb5_get_init_creds_password and I get an error indicating the
> my I/O flags are not appropriate. This is a Windows application so tty
> settings and I/O setting are not really applicable. Is there another way to
> get a set of credentials given a user name and password? Ideally I would
> like a gss_cred_id_t handle of the credentials but right now I would take
> anything.

> Thank you for your suggestions.

> Kevin

> ________________________________________________
> Kerberos mailing list           Kerbe...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

> Kevin Burton wrote:

> > I am trying to interface with our Windows 2000 server using Kerberos. I
> > would like a client to obtain a credential handle for a given user with
a
> > supplied password.

> If the client is running on UNIX, you can setting KRB5CCNAME ....
> then do a kinit then call your application. The gss_acquire_cred will use
> the underlying implementations method to find the credential.

> If the client is on Windows there are some other things you can do.

> > Using GSSAPI this involves calling gss_init_sec_context
> > and instead of passing GSS_C_NO_CREDENTIAL I would like to pass the
opaque
> > handle gss_cred_id_t which is obtained via gss_acquire_cred. The problem
is
> > that gss_acquire_cred only has the option to specify a credential by
name

> The name would be which credential in a credential cache. Its not what
> you might think.

> > (not password). So I am assuming that the way to go would be to look at
what
> > kinit does and then the "name" of the credential is probably the
prinicipal
> > name. I call the following:

> > krb5_init_context
> > krb5_cc_default
> > krb5_parse_name (passing the principal name name@domain)
> > krb5_unparse_name (because that is what kinit does)

> > Then I call krb5_get_init_creds_password and I get an error indicating
the
> > my I/O flags are not appropriate. This is a Windows application so tty
> > settings and I/O setting are not really applicable. Is there another way
to
> > get a set of credentials given a user name and password? Ideally I would
> > like a gss_cred_id_t handle of the credentials but right now I would
take
> > anything.

> (This is not tested:)
>  #!/bin/sh
>  KRB5CCNAME=FILE:/tmp/krb5_cc.appl.$$ i.e. make it unique
>  export KRB5CCNAME
>  kinit
>  application
>  kdestroy

> If it has to be in the applicaiton how about something like:
>   setenv("KRB5CCNAME", somefilename);
>   system("kinit"); /* or call some krb5 routines */
>   gss_acquire_cred();

> > Thank you for your suggestions.

> > Kevin

> > ________________________________________________
> > Kerberos mailing list           Kerbe...@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos

> --

>  Douglas E. Engert  <DEEng...@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerbe...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

> >I am trying to interface with our Windows 2000 server using Kerberos. I
> >would like a client to obtain a credential handle for a given user with a
> >supplied password. Using GSSAPI this involves calling

> GSSAPI does not have an API for getting initial credentials (i.e.
> 'kinit' functionality).
> The user must establish their personal credentials external to the
> GSSAPI application
> (example:  run kinit, then run the GSSAPI application).

> >krb5_init_context
> >krb5_cc_default
> >krb5_parse_name (passing the principal name name@domain)
> >krb5_unparse_name (because that is what kinit does)

> Depending on where you put this code, you are likely violating the
> abstraction
> layer that GSSAPI was designed to provide. An application that calls
> GSSAPI should never call an mechanism-specific API.

> -Wyllys

> >Then I call krb5_get_init_creds_password and I get an error indicating
the
> >my I/O flags are not appropriate. This is a Windows application so tty
> >settings and I/O setting are not really applicable. Is there another way
to
> >get a set of credentials given a user name and password? Ideally I would
> >like a gss_cred_id_t handle of the credentials but right now I would take
> >anything.

> >Thank you for your suggestions.

> >Kevin

> >________________________________________________
> >Kerberos mailing list           Kerbe...@mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos

> ________________________________________________
> Kerberos mailing list           Kerbe...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos