I was thinking that using gssapi could be leveraged. At one point, I seem to
recall reading/hearing/being told that with the win2k kerberos support,
client code had ZERO access to the tickets themselves and that the only
exported interface was SSPI.
What I was thinking is that you could create a pseudo-krb524d that was a
gssapi service on the server, and have aklog authenticate to it including
forwarded tickets, and then have it use the forwarded tickets somehow and
convert them - i.e. the same way that gssapi ftpd works with aklog now. i.e.
if windows won't let you get at the tickets, forward em somewhere else and
let that service do the work.
I don't know if this makes any sense, as my low-level knowledge of aklog is
limited. If the 'SSPI only' bit is no longer the case, it won't be an issue.
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: [EMAIL PROTECTED]
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
> -----Original Message-----
> From: Ken Hornstein [mailto:[EMAIL PROTECTED]]
> Sent: Friday, March 17, 2000 9:14 AM
> To: Nathan Neulinger
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Anyone working on a Win2k/GSSAPI/SSPI version of aklog?
>
>
> >Obviously, isn't really needed just yet, as the client won't be
> >available for a while, but would be nice to know if it's being
> >considered. (That is, unless you happen to have inside information
> >intimating that transarc is finally going to start supporting krb5
> >directly. *crossing fingers*)
>
> I'm not sure how a GSS-API aklog would _work_. You're not
> authenticating
> _to_ anything ... you're getting a service ticket that you're cramming
> into the kernel (after converting it to V4). How would you
> use GSS-API
> in that case?
>
> --Ken
>
