Orkut Gmail Calendar Documents Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
comp.protocols.kerberos
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
using multiple credential cache files in a server
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   3 messages - Expand all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Rick Macklem  
View profile  
 More options Apr 24 2004, 1:56 am
Newsgroups: comp.protocols.kerberos
From: rmack...@uoguelph.ca (Rick Macklem)
Date: 23 Apr 2004 13:26:38 -0700
Local: Sat, Apr 24 2004 1:56 am
Subject: using multiple credential cache files in a server
Forward | Print | Individual message | Show original | Report this message | Find messages by this author
A gssd daemon for an NFS client needs to be able to use the GSS API call
gss_init_sec_context() on behalf of different users (uids). I can see two
ways of doing this:
1 - fork off a separate child that does setuid(user_uid) to get context for
     that user (seems inefficient)
OR
2 - Get Initiator credentials for the principal and use those in the
     gss_init_sec_context() call. This seems preferable, but requires that
     the server switch to the credentials cache file for the appropriate uid
     associated with that principal. (At least it seems that a credentials
     cache file with the correct tgt is required to get Initiator Credentials.)

This leads me to my question:
How do you get the Kerberos libraries to switch to a different credential cache
file whenever you want to get Initiator Credentials for a different uid?

Thanks in advance for any help, rick


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Rick Macklem  
View profile  
 More options May 7 2004, 2:48 am
Newsgroups: comp.protocols.kerberos
From: rmack...@uoguelph.ca (Rick Macklem)
Date: 6 May 2004 14:18:49 -0700
Local: Fri, May 7 2004 2:48 am
Subject: Re: using multiple credential cache files in a server
Forward | Print | Individual message | Show original | Report this message | Find messages by this author

I don't usually answer my own questions, but I thought someone might be
interested in how it can be done...

This works using Heimdal (but not MIT's sources, I suspect):
You can get GSS API Initiator Credentials on behalf of different users using
code something like this:
extern krb5_context gssapi_krb5_context; /* Internal, YUCK! */
gss_cred_id_t cred = NULL;

...
    /*
     * get Initiator cred for a different user.
     */
    if (cred) {
        krb5_cc_close(gssapi_krb5_context, cred->ccache);
        free(cred);
        cred = NULL;
    }
    sprintf(ccname, "/tmp/krb5cc_%d", uid);
    kret = krb5_cc_set_default_name(gssapi_krb5_context, ccname);
    if (!kret) {
         major = gss_acquire_cred(&minor, GSS_C_NO_NAME, ...);

which seems to work ok, assuming the daemon can access the different uid's
cred cache files in /tmp.

Probably not considered acceptable, since it relies on Heimdal's GSS API
internals, but it works, rick


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Alexandra Ellwood  
View profile  
 More options May 7 2004, 3:47 am
Newsgroups: comp.protocols.kerberos
From: l...@mit.edu (Alexandra Ellwood)
Date: Thu, 6 May 2004 22:17:07 +0000 (UTC)
Local: Fri, May 7 2004 3:47 am
Subject: Re: using multiple credential cache files in a server
Forward | Print | Individual message | Show original | Report this message | Find messages by this author
You can do the same thing in MIT Kerberos with the function

OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name (OM_uint32 *minor_status,
                                               const char *name,
                                               const char **out_name);

which allows you to set and/or get the cache name used by the GSSAPI.  
It lives in <gssapi/gssapi_krb5.h>.

On May 6, 2004, at 5:18 PM, Rick Macklem wrote:

--lxs
-----------------------------------------------------------------------
Alexandra Ellwood                                           l...@mit.edu
MIT Information Services & Technology           http://mit.edu/lxs/www/
-----------------------------------------------------------------------

________________________________________________
Kerberos mailing list           Kerbe...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2010 Google