I posted this on the newsgroup via Google groups a few days ago but it doesn't seem to have made it to the mailing list, might have been flagged as spam. I'll resend it here:
I have an application that's a web based 'frontend' to perform some admin tasks on an LDAP server. Users authenticate to the application using HTTP Negotiate authentication, and they delegate their Kerberos credentials to the application. This part all works fine, I can get the delegated credential from gss_accept_sec_context and use it. The next part is giving me trouble. I want to use the delegated credential in the same application to authenticate to an LDAP server using SASL GSSAPI authentication. The LDAP library I'm using, python-ldap, doesn't have any option to pass a specific GSSAPI credential to use for authentication, so I can't pass in the delegated credential handle. So I had the idea of fork()ing the process, setting a different KRB5CCNAME in the child process environment, storing the delegated credential in there with gss_store_cred and then calling the LDAP library. The problem is, when I set KRB5CCNAME to a nonexistent file, or a new empty file in /tmp, I get an error from gss_store_cred that the cache doesn't exist or has a bad format. I then tried copying a valid cache to a new file in /tmp and then setting the KRB5CCNAME to that file, and then gss_store_cred was able to store the delegated credential into the existing ccache, but it isn't setting it as the default principal. When I list the contents of the ccache, I can see: Ticket cache: FILE:/tmp/newccache Default principal: HTTP/[email protected] Valid starting Expires Service principal 06/09/2014 02:23 06/09/2014 12:23 krbtgt/[email protected] 06/09/2014 07:52 06/09/2014 17:51 krbtgt/[email protected] for client [email protected] HTTP/[email protected] is the app server, and it obtains a TGT using its keytab and k5start when it runs. That's the first TGT, the second TGT for [email protected] is the one stored by gss_store_cred. What I'd like is to get the delegated credential to be the default principal in the ccache, so that the LDAP library uses it. I am calling gss_store_cred with the overwrite and default arguments set to 1, which I thought would make the stored credential the default principal in the ccache. Am I going about this using the wrong approach? Using MIT Kerberos 1.10 on Linux (Ubuntu 12.04). Thanks! ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
