[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: how to achieve what kinit does programmatically?
I looked at the krb pam package but it looks like the function there would still prompt for user's passwd before it can get the TGT. The goal I want to achieve here is to do it without the prompt since I can get the user/passwd pair beforehand(thru proxy authorization maybe).
So can krb5_get_init_creds_password() do the job without interaction? I've downloaded the MIT Kerberos package however it seems it doesn't have good documentation though. Does Heimdal provide better documentation?
Thx.
Kent
-----Original Message-----
From: Douglas E. Engert [mailto:deengert@anl.gov]
Sent: Friday, May 30, 2003 7:13 AM
To: Kent Wu (RD-US); heimdal-discuss@sics.se
Cc: Henry B. Hotz
Subject: Re: how to achieve what kinit does programmatically?
Another example of getting a TGT from a password would be one of the
many krb pam routines. Are you using the Solaris SEAM version of
Kerberos, if so look at the Sun documentation. You can also look at
the kinit source :-)
"Henry B. Hotz" wrote:
>
> At 11:53 AM -0700 5/29/03, Kent_Wu@trendmicro.com wrote:
> >Hi:
> > I can use "kinit" to get a TGT from a win2000 KDC in my
> >Solaris machine and I also assume there must be Kerberos API's to
> >achieve the same thing programmatically in C. However I couldn't
> >find too much info on this. Could anyone kindly tell me the correct
> >way to do it?
> > Another odd thing is in my /usr/lib/krb5 folder I can find
> >some kerberos libraries which contains some API symbols like
> >krb5_init_context however I couldn't find any man page for this
> >function. Do I miss something here or I need to download separate
> >Kerberos library to do this?
>
> This question properly should go to an MIT Kerberos list, but I've
> been looking into it myself so here goes:
>
> OSX includes the latest MIT K5 release, however it does not include
> the man pages or documentation. What you need to do is go to the MIT
> site and download the latest source distribution. That will include,
> among other things, some TeX documentation which is pretty complete.
>
> Now is it accurate? I do know that it documents a
> get-tgt-with-password type function that exists, but is different
> from the function actually used by either NetBSD/Heimdal kinit or MIT
> kinit (which are different from each other as well). In other words
> just because MIT has more documentation than Heimdal doesn't mean
> it's better. |-(
>
> What I intend to do in my "copious free time" is try lifting code
> from the MIT kinit source and seeing if I can get that to work. I
> was not successful in getting the documented routine to work.
>
> I also looked at the GSSAPI documentation from Sun and it appears
> that that API assumes you already have a tgt (unless you're a
> server). I think SASL wraps GSSAPI so that wouldn't solve the
> problem either.
> --
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444