Hi Kai
So far I have been able to knock this together, as a proof of concept.
Getting the EncAsRepPart required for the TGT will take a little more
effort, and I will need handling to cover the case where there are multiple
tickets in the cache (e.g. there is already an SGT cached).
Cheers
Chris
private TgtTicket retrieveCachedTicket(File ccacheFile) throws
KrbException {
Ticket ticket = null;
PrincipalName clientPrincipal = null;
// TODO: encKdcRepPart cannot be directly got from credential,
will have to be built field by field
EncAsRepPart encKdcRepPart = null;
if (ccacheFile.exists() && ccacheFile.canRead()) {
CredentialCache cCache = new CredentialCache();
try {
cCache.load(ccacheFile);
List<Credential> credentials = cCache
.getCredentials();
for (Credential cred : credentials) {
ticket = cred.getTicket();
clientPrincipal = cred.getClientName();
}
} catch (IOException e) {
throw new KrbException("Failed to load
credentials"
, e);
}
} else {
throw new IllegalArgumentException("Invalid ccache file,
"
+ "does not exist, or is not readable:
" +
ccacheFile.getAbsolutePath());
}
return new TgtTicket(ticket, encKdcRepPart, clientPrincipal);
}
From: "Zheng, Kai" <kai.zh...@intel.com>
To: "kerby@directory.apache.org" <kerby@directory.apache.org>
Date: 08/05/2017 14:32
Subject: Re: Using Kerby kerb-client as an alternative for GSS-API for
Kerberos Single Sign On.
Got your point. Please read credential cache utility codes and see if any
API doing so.
Sent from iPhone
在 2017年5月8日,下午8:13,Christopher Lamb <christopher.l...@ch.ibm.com<
mailto:christopher.l...@ch.ibm.com>> 写道:
Hi Kai
Browsing further through the kerby code, I think I need the opposite of
KrbClientBase.storeTicket(): for instance a " Public TgtTicket
retrieveCachedTicket(File ccacheFile)"
Let me see if I can knock something together based on storeTicket()....
Cheers
Chris
[Inactive hide details for "Zheng, Kai" ---08/05/2017 13:09:19---If I
remember correctly, it first generates a cache with a TGT,]"Zheng, Kai"
---08/05/2017 13:09:19---If I remember correctly, it first generates a
cache with a TGT, then do the login test with the tick
From: "Zheng, Kai" <kai.zh...@intel.com<mailto:kai.zh...@intel.com>>
To: "kerby@directory.apache.org<mailto:kerby@directory.apache.org>"
<kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
Date: 08/05/2017 13:09
Subject: RE: Using Kerby kerb-client as an alternative for GSS-API for
Kerberos Single Sign On.
________________________________
If I remember correctly, it first generates a cache with a TGT, then do the
login test with the ticket cache. In your case, you would need to know
where is the cache file and point it to Kerby client, as the test did.
Regards,
Kai
From: Christopher Lamb [mailto:christopher.l...@ch.ibm.com]
Sent: Monday, May 08, 2017 7:05 PM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
Subject: RE: Using Kerby kerb-client as an alternative for GSS-API for
Kerberos Single Sign On.
Hi Kai
Thanks, example code is always best.
TicketCacheLoginTest looks like part of the answer, especially the
storeTicket() function. However (unless I have completely misread the
test-case), the TGT is not retrieved from the cache, it is only stored
there.
In my Single-Sign-On case, the user already has a TGT, which was obtained
on log in to the workstation (or by kinit), prior to starting my java
client. I am assuming it should be possible for kerby to use the existing
TGT.
Cheers
Chris
[Inactive hide details for "Zheng, Kai" ---08/05/2017 12:45:22---Hi Chris,
Both dev list should be OK as Kerby folks are also in]"Zheng, Kai"
---08/05/2017 12:45:22---Hi Chris, Both dev list should be OK as Kerby
folks are also in the parent one.
From: "Zheng, Kai" <kai.zh...@intel.com<mailto:kai.zh...@intel.com><
mailto:kai.zh...@intel.com>>
To: "kerby@directory.apache.org<mailto:kerby@directory.apache.org><
mailto:kerby@directory.apache.org>" <kerby@directory.apache.org<
mailto:kerby@directory.apache.org><mailto:kerby@directory.apache.org>>
Date: 08/05/2017 12:45
Subject: RE: Using Kerby kerb-client as an alternative for GSS-API for
Kerberos Single Sign On.
________________________________
Hi Chris,
Both dev list should be OK as Kerby folks are also in the parent one.
I haven't read your details fully (will do it later), but would make sure
if you have already checked out the test of TicketCacheLoginTest in the
kerby code base. In one word, Kerby client surely can consume and use a
credential cache generated by other tools like MIT kinit. If you see any
issue, please report it.
Regards,
Kai
-----Original Message-----
From: Christopher Lamb [mailto:christopher.l...@ch.ibm.com]
Sent: Monday, May 08, 2017 5:09 PM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org><
mailto:kerby@directory.apache.org>
Subject: Using Kerby kerb-client as an alternative for GSS-API for Kerberos
Single Sign On.
Hi all
I hope this is the appropriate mailing list for this type of question. Or
would it be better on the Directory Developers’ list?
I am considering using Kerby kerb-client as an alternative to Java GSS-API
for a Java client application in a Kerberos single sign on environment.
In my proof of concept setup I am using FreeIPA clients and servers. When
the user logs on to his workstation he is authenticated by the FreeIPA KDC,
and gets a TGT which is cached in the default credentials cache. When he
wishes to access services from the application server (which is a Service
Principal), the TGT in the credentials cache is used to get a Service
Ticket, which should also be cached in the credentials cache for future
use.
With a throwaway Python GSS-API client this worked perfectly. "klist" shows
both the TGT and the SGT in the credentials cache. But trying to do the
same thing with Java GSS-API I ran into problems. While the Client is able
to retrieve a Service Ticket, and thus login to the Service Principal, the
SGT is not cached. Thus every request to the Service Principal requires KDC
interaction. Not good.
In my search for alternatives, I came across Kerby kerb-client, and am
experimenting with it, but so far without success despite much debugging
and scanning of Kerby code.
Here is the question: Can the Kerby kerb-client be configured to access an
existing Kerberos credential cache (as opposed to a KeyTab), and to use the
TGT ticket within, and to cache new service tickets? In this case the
existing credentials cache is from
So far I have found no config to do so. Searching through the Kerby code I
find references to things like ‘credCache’, ‘KRB5_CACHE’, ‘ARMOR_CACHE’.
However in AbstractInternalKrbClient.requestTGT() I can’t find any USE_xxx
options that seem appropriate for using a credentials cache.
Have I missed something obvious? If so, which options should I be
configuring?
Thanks
Chris
