[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: how to achieve what kinit does programmatically?

To: <kwc@citi.umich.edu>
Subject: RE: how to achieve what kinit does programmatically?
From: Kent_Wu@trendmicro.com
Date: Wed, 4 Jun 2003 10:22:11 -0700
Cc: <krbdev@MIT.EDU>, <heimdal-discuss@sics.se>
Sender: owner-heimdal-discuss@sics.se
Thread-Index: AcMql89RpPT/HU7tSeiW6Bfmvv+NewAJbv/Q
Thread-Topic: how to achieve what kinit does programmatically?
Thx, K.C. You got it. Once I changed the krb5.conf location then it works.

Kent

-----Original Message-----
From: Kevin Coffman [mailto:kwc@citi.umich.edu]
Sent: Wednesday, June 04, 2003 5:50 AM
To: Kent Wu (RD-US)
Cc: Kevin Coffman
Subject: Re: how to achieve what kinit does programmatically? 


HEre's a wild guess.  You said you used the Solaris kinit.  I believe 
their krb5.conf file is in a different location than where the MIT code 
expects it.  The MIT code wants it in /etc/krb5.conf while I think 
Solaris SEAM has it in /etc/kerberos/krb5.conf or something.

Just a guess.

K.C.

> Hi:
> 
> 	While trying to use krb5_get_init_creds_password() to get the TGT, it always pops up the error message: "cannot resolve network address for KDC in requested realm getting initial ticket". The odd thing is I'm pretty sure my krb5.conf and DNS setting is correct since I can get the TGT thru Solaris tool "kinit".
> 
> 	Since it's lack of documentation for this API I suspected maybe some parameter I passed in was wrong, this API's signature is like this:
> 
> krb5_get_init_creds_password(krb5_context context,
> 		krb5_creds *creds,
> 		krb5_principal client,
> 		char *password,
> 		krb5_prompter_fct prompter,
> 		void *data,
> 		krb5_deltat start_time,
> 		char *in_tkt_service,
> 		krb5_get_init_creds_opt *options);
> 
> the following is how I invoked it, here I already got the password so I don't need a prompter I guess, I also passed 0(NULL) to argument data, start_time, in_tkt_service and options based on the assumption that I either don't need them or can use the default value in krb5.conf.
> 
> krb5_get_init_creds_password(context, 
> 				     &creds, 
> 				     princ, 
> 				     "mypasswd",
> 				     0, 
> 				     0, 
> 				     0, 
> 				     0, 
> 				     0);
> 
> Did I miss something here thus causing the error message?
> 
> Thx a lot, guys.
> 
> Kent 
> 
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert@anl.gov]
> Sent: Tuesday, June 03, 2003 6:45 AM
> To: Kent Wu (RD-US); heimdal-discuss@sics.se; hotz@jpl.nasa.gov;
> hartmans@mit.edu; krbdev@mit.edu
> Subject: Re: how to achieve what kinit does programmatically?
> 
> 
> 
> 
> Kent_Wu@trendmicro.com wrote:
> > 
> > I looked at the krb pam package but it looks like the function there would still prompt for user's passwd before it can get the TGT. The goal I want to achieve here is to do it without the prompt since I can get the user/passwd pair beforehand(thru proxy authorization maybe).
> > 
> >         So can krb5_get_init_creds_password() do the job without interaction? I've downloaded the MIT Kerberos package however it seems it doesn't have good documentation though. Does Heimdal provide better documentation?
> > 
> 
> 
> The PAM exit I have seen, passes in "pass" as the password, as the PAM modules do the
> actually
> prompting. Here is a code snipit for the MIT kinit.c which pases in a password read from
> stdin.
> It calls krb5_get_init_creds_password. You can use it as an example.
> 
> *** 776,783 ****
>   
>       switch (opts->action) {
>       case INIT_PW:
>         code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
> !                                           0, kinit_prompter, 0,
>                                             opts->starttime, 
>                                             opts->service_name,
>                                             &options);
> --- 784,804 ----
>   
>       switch (opts->action) {
>       case INIT_PW:
> +       if (opts->pstdin) {
> +               pstdin_pw_size = read(0,pstdin_pw,sizeof(pstdin_pw)-1);
> +               if (pstdin_pw_size > 0) {
> +                       if (pstdin_pw[pstdin_pw_size-1] == '\n') {
> +                               pstdin_pw_size--;
> +                       }
> +                       pstdin_pw[pstdin_pw_size] = '\0';
> +               } else {
> +                       pstdin_pw_size = 0;
> +               }
> +       }
> + 
>         code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
> !                                           (pstdin_pw_size > 0)? pstdin_pw: 0, 
> !                                               kinit_prompter, 0,
>                                             opts->starttime, 
>                                             opts->service_name,
>                                             &options);
> 
> > Thx.
> > 
> > Kent
> > 
> > -----Original Message-----
> > From: Douglas E. Engert [mailto:deengert@anl.gov]
> > Sent: Friday, May 30, 2003 7:13 AM
> > To: Kent Wu (RD-US); heimdal-discuss@sics.se
> > Cc: Henry B. Hotz
> > Subject: Re: how to achieve what kinit does programmatically?
> > 
> > Another example of getting a TGT from a password would be one of the
> > many krb pam routines. Are you using the Solaris SEAM version of
> > Kerberos, if so look at the Sun documentation. You can also look at
> > the kinit source :-)
> > 
> > "Henry B. Hotz" wrote:
> > >
> > > At 11:53 AM -0700 5/29/03, Kent_Wu@trendmicro.com wrote:
> > > >Hi:
> > > >       I can use "kinit" to get a TGT from a win2000 KDC in my
> > > >Solaris machine and I also assume there must be Kerberos API's to
> > > >achieve the same thing programmatically in C. However I couldn't
> > > >find too much info on this. Could anyone kindly tell me the correct
> > > >way to do it?
> > > >       Another odd thing is in my /usr/lib/krb5 folder I can find
> > > >some kerberos libraries which contains some API symbols like
> > > >krb5_init_context however I couldn't find any man page for this
> > > >function. Do I miss something here or  I need to download separate
> > > >Kerberos library to do this?
> > >
> > > This question properly should go to an MIT Kerberos list, but I've
> > > been looking into it myself so here goes:
> > >
> > > OSX includes the latest MIT K5 release, however it does not include
> > > the man pages or documentation.  What you need to do is go to the MIT
> > > site and download the latest source distribution.  That will include,
> > > among other things, some TeX documentation which is pretty complete.
> > >
> > > Now is it accurate?  I do know that it documents a
> > > get-tgt-with-password type function that exists, but is different
> > > from the function actually used by either NetBSD/Heimdal kinit or MIT
> > > kinit (which are different from each other as well).  In other words
> > > just because MIT has more documentation than Heimdal doesn't mean
> > > it's better. |-(
> > >
> > > What I intend to do in my "copious free time" is try lifting code
> > > from the MIT kinit source and seeing if I can get that to work.  I
> > > was not successful in getting the documented routine to work.
> > >
> > > I also looked at the GSSAPI documentation from Sun and it appears
> > > that that API assumes you already have a tgt (unless you're a
> > > server).  I think SASL wraps GSSAPI so that wouldn't solve the
> > > problem either.
> > > --
> > > The opinions expressed in this message are mine,
> > > not those of Caltech, JPL, NASA, or the US Government.
> > > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> > 
> > --
> > 
> >  Douglas E. Engert  <DEEngert@anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439 
>  (630) 252-5444
>
Prev by Date: Re: gss_wrap_size_limit()
Next by Date: Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
Prev by thread: RE: how to achieve what kinit does programmatically?
Next by thread: gss_wrap_size_limit()
Index(es):
- Date
- Thread