On Tue, 2013-03-12 at 00:23 +0000, Nebergall, Christopher wrote: > Does anyone have any tips on copying the credentials created from Kerberos > constrained delegation to a credentials cache file and back in again? In > the example krb5-1.10.3/src/tests/gssapi/t_s4u.c at near the end of > contrainedDelegate function after the gss_init_sec_context tried to copy the > delegated_cred_handle to a credentials cache. I've NEVER seen the a > service ticket for the end service make to the cache file so I'm not sure > which cred cache I should be using. > > I've tried 1) just using the default cache > > 2) with gss_store_cred with > > memset(&elements_stored, 0, sizeof(elements_stored)); > memset(&cred_usage_stored, 0, sizeof(cred_usage_stored)); > major = gss_store_cred(&minor, delegated_cred_handle, GSS_C_BOTH, > GSS_C_NULL_OID, 1, 1, &elements_stored, &cred_usage_stored); > > 3) or with gss_krb5_copy_ccache > > Nothing shows a cached the service ticket. I'm not even certain which > prinicipal I should initialize the ccache with - the impersonator prinicipal, > or the user principal name? > > I've also tried various methods of reading the new cache back in and then > re-running constrainedDelegate but I often get a "gss_init_sec_context: > Matching credential not found" > > My goal is to put this code into mod_auth_kerb with mod_proxy but I'm unclear > how to make it not hit the KDC with every request if I can't get a > credential's cache saved, and reloaded between requests.
Christopher, Red Hat has already sent upstream patches to support s4u2proxy authentication in mod_auth_kerb, you may want to check this thread: http://sourceforge.net/mailarchive/message.php?msg_id=28531618 (they are not in the upstream code yet apparently nobody picked them up). HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
