[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: how to achieve what kinit does programmatically?
Hi:
While trying to use krb5_get_init_creds_password() to get the TGT, it always pops up the error message: "cannot resolve network address for KDC in requested realm getting initial ticket". The odd thing is I'm pretty sure my krb5.conf and DNS setting is correct since I can get the TGT thru Solaris tool "kinit".
Since it's lack of documentation for this API I suspected maybe some parameter I passed in was wrong, this API's signature is like this:
krb5_get_init_creds_password(krb5_context context,
krb5_creds *creds,
krb5_principal client,
char *password,
krb5_prompter_fct prompter,
void *data,
krb5_deltat start_time,
char *in_tkt_service,
krb5_get_init_creds_opt *options);
the following is how I invoked it, here I already got the password so I don't need a prompter I guess, I also passed 0(NULL) to argument data, start_time, in_tkt_service and options based on the assumption that I either don't need them or can use the default value in krb5.conf.
krb5_get_init_creds_password(context,
&creds,
princ,
"mypasswd",
0,
0,
0,
0,
0);
Did I miss something here thus causing the error message?
Thx a lot, guys.
Kent
-----Original Message-----
From: Douglas E. Engert [mailto:deengert@anl.gov]
Sent: Tuesday, June 03, 2003 6:45 AM
To: Kent Wu (RD-US); heimdal-discuss@sics.se; hotz@jpl.nasa.gov;
hartmans@mit.edu; krbdev@mit.edu
Subject: Re: how to achieve what kinit does programmatically?
Kent_Wu@trendmicro.com wrote:
>
> I looked at the krb pam package but it looks like the function there would still prompt for user's passwd before it can get the TGT. The goal I want to achieve here is to do it without the prompt since I can get the user/passwd pair beforehand(thru proxy authorization maybe).
>
> So can krb5_get_init_creds_password() do the job without interaction? I've downloaded the MIT Kerberos package however it seems it doesn't have good documentation though. Does Heimdal provide better documentation?
>
The PAM exit I have seen, passes in "pass" as the password, as the PAM modules do the
actually
prompting. Here is a code snipit for the MIT kinit.c which pases in a password read from
stdin.
It calls krb5_get_init_creds_password. You can use it as an example.
*** 776,783 ****
switch (opts->action) {
case INIT_PW:
code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
! 0, kinit_prompter, 0,
opts->starttime,
opts->service_name,
&options);
--- 784,804 ----
switch (opts->action) {
case INIT_PW:
+ if (opts->pstdin) {
+ pstdin_pw_size = read(0,pstdin_pw,sizeof(pstdin_pw)-1);
+ if (pstdin_pw_size > 0) {
+ if (pstdin_pw[pstdin_pw_size-1] == '\n') {
+ pstdin_pw_size--;
+ }
+ pstdin_pw[pstdin_pw_size] = '\0';
+ } else {
+ pstdin_pw_size = 0;
+ }
+ }
+
code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
! (pstdin_pw_size > 0)? pstdin_pw: 0,
! kinit_prompter, 0,
opts->starttime,
opts->service_name,
&options);
> Thx.
>
> Kent
>
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert@anl.gov]
> Sent: Friday, May 30, 2003 7:13 AM
> To: Kent Wu (RD-US); heimdal-discuss@sics.se
> Cc: Henry B. Hotz
> Subject: Re: how to achieve what kinit does programmatically?
>
> Another example of getting a TGT from a password would be one of the
> many krb pam routines. Are you using the Solaris SEAM version of
> Kerberos, if so look at the Sun documentation. You can also look at
> the kinit source :-)
>
> "Henry B. Hotz" wrote:
> >
> > At 11:53 AM -0700 5/29/03, Kent_Wu@trendmicro.com wrote:
> > >Hi:
> > > I can use "kinit" to get a TGT from a win2000 KDC in my
> > >Solaris machine and I also assume there must be Kerberos API's to
> > >achieve the same thing programmatically in C. However I couldn't
> > >find too much info on this. Could anyone kindly tell me the correct
> > >way to do it?
> > > Another odd thing is in my /usr/lib/krb5 folder I can find
> > >some kerberos libraries which contains some API symbols like
> > >krb5_init_context however I couldn't find any man page for this
> > >function. Do I miss something here or I need to download separate
> > >Kerberos library to do this?
> >
> > This question properly should go to an MIT Kerberos list, but I've
> > been looking into it myself so here goes:
> >
> > OSX includes the latest MIT K5 release, however it does not include
> > the man pages or documentation. What you need to do is go to the MIT
> > site and download the latest source distribution. That will include,
> > among other things, some TeX documentation which is pretty complete.
> >
> > Now is it accurate? I do know that it documents a
> > get-tgt-with-password type function that exists, but is different
> > from the function actually used by either NetBSD/Heimdal kinit or MIT
> > kinit (which are different from each other as well). In other words
> > just because MIT has more documentation than Heimdal doesn't mean
> > it's better. |-(
> >
> > What I intend to do in my "copious free time" is try lifting code
> > from the MIT kinit source and seeing if I can get that to work. I
> > was not successful in getting the documented routine to work.
> >
> > I also looked at the GSSAPI documentation from Sun and it appears
> > that that API assumes you already have a tgt (unless you're a
> > server). I think SASL wraps GSSAPI so that wouldn't solve the
> > problem either.
> > --
> > The opinions expressed in this message are mine,
> > not those of Caltech, JPL, NASA, or the US Government.
> > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
> --
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444