Does anyone have any tips on copying the credentials created from Kerberos constrained delegation to a credentials cache file and back in again? In the example krb5-1.10.3/src/tests/gssapi/t_s4u.c at near the end of contrainedDelegate function after the gss_init_sec_context tried to copy the delegated_cred_handle to a credentials cache. I've NEVER seen the a service ticket for the end service make to the cache file so I'm not sure which cred cache I should be using.
I've tried 1) just using the default cache 2) with gss_store_cred with memset(&elements_stored, 0, sizeof(elements_stored)); memset(&cred_usage_stored, 0, sizeof(cred_usage_stored)); major = gss_store_cred(&minor, delegated_cred_handle, GSS_C_BOTH, GSS_C_NULL_OID, 1, 1, &elements_stored, &cred_usage_stored); 3) or with gss_krb5_copy_ccache Nothing shows a cached the service ticket. I'm not even certain which prinicipal I should initialize the ccache with - the impersonator prinicipal, or the user principal name? I've also tried various methods of reading the new cache back in and then re-running constrainedDelegate but I often get a "gss_init_sec_context: Matching credential not found" My goal is to put this code into mod_auth_kerb with mod_proxy but I'm unclear how to make it not hit the KDC with every request if I can't get a credential's cache saved, and reloaded between requests. -Christopher ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
