[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: how to achieve what kinit does programmatically?


	While trying to use krb5_get_init_creds_password() to get the TGT, it always pops up the error message: "cannot resolve network address for KDC in requested realm getting initial ticket". The odd thing is I'm pretty sure my krb5.conf and DNS setting is correct since I can get the TGT thru Solaris tool "kinit".

	Since it's lack of documentation for this API I suspected maybe some parameter I passed in was wrong, this API's signature is like this:

krb5_get_init_creds_password(krb5_context context,
		krb5_creds *creds,
		krb5_principal client,
		char *password,
		krb5_prompter_fct prompter,
		void *data,
		krb5_deltat start_time,
		char *in_tkt_service,
		krb5_get_init_creds_opt *options);

the following is how I invoked it, here I already got the password so I don't need a prompter I guess, I also passed 0(NULL) to argument data, start_time, in_tkt_service and options based on the assumption that I either don't need them or can use the default value in krb5.conf.


Did I miss something here thus causing the error message?

Thx a lot, guys.


-----Original Message-----
From: Douglas E. Engert [mailto:deengert@anl.gov]
Sent: Tuesday, June 03, 2003 6:45 AM
To: Kent Wu (RD-US); heimdal-discuss@sics.se; hotz@jpl.nasa.gov;
hartmans@mit.edu; krbdev@mit.edu
Subject: Re: how to achieve what kinit does programmatically?

Kent_Wu@trendmicro.com wrote:
> I looked at the krb pam package but it looks like the function there would still prompt for user's passwd before it can get the TGT. The goal I want to achieve here is to do it without the prompt since I can get the user/passwd pair beforehand(thru proxy authorization maybe).
>         So can krb5_get_init_creds_password() do the job without interaction? I've downloaded the MIT Kerberos package however it seems it doesn't have good documentation though. Does Heimdal provide better documentation?

The PAM exit I have seen, passes in "pass" as the password, as the PAM modules do the
prompting. Here is a code snipit for the MIT kinit.c which pases in a password read from
It calls krb5_get_init_creds_password. You can use it as an example.

*** 776,783 ****
      switch (opts->action) {
      case INIT_PW:
        code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
!                                           0, kinit_prompter, 0,
--- 784,804 ----
      switch (opts->action) {
      case INIT_PW:
+       if (opts->pstdin) {
+               pstdin_pw_size = read(0,pstdin_pw,sizeof(pstdin_pw)-1);
+               if (pstdin_pw_size > 0) {
+                       if (pstdin_pw[pstdin_pw_size-1] == '\n') {
+                               pstdin_pw_size--;
+                       }
+                       pstdin_pw[pstdin_pw_size] = '\0';
+               } else {
+                       pstdin_pw_size = 0;
+               }
+       }
        code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
!                                           (pstdin_pw_size > 0)? pstdin_pw: 0, 
!                                               kinit_prompter, 0,

> Thx.
> Kent
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert@anl.gov]
> Sent: Friday, May 30, 2003 7:13 AM
> To: Kent Wu (RD-US); heimdal-discuss@sics.se
> Cc: Henry B. Hotz
> Subject: Re: how to achieve what kinit does programmatically?
> Another example of getting a TGT from a password would be one of the
> many krb pam routines. Are you using the Solaris SEAM version of
> Kerberos, if so look at the Sun documentation. You can also look at
> the kinit source :-)
> "Henry B. Hotz" wrote:
> >
> > At 11:53 AM -0700 5/29/03, Kent_Wu@trendmicro.com wrote:
> > >Hi:
> > >       I can use "kinit" to get a TGT from a win2000 KDC in my
> > >Solaris machine and I also assume there must be Kerberos API's to
> > >achieve the same thing programmatically in C. However I couldn't
> > >find too much info on this. Could anyone kindly tell me the correct
> > >way to do it?
> > >       Another odd thing is in my /usr/lib/krb5 folder I can find
> > >some kerberos libraries which contains some API symbols like
> > >krb5_init_context however I couldn't find any man page for this
> > >function. Do I miss something here or  I need to download separate
> > >Kerberos library to do this?
> >
> > This question properly should go to an MIT Kerberos list, but I've
> > been looking into it myself so here goes:
> >
> > OSX includes the latest MIT K5 release, however it does not include
> > the man pages or documentation.  What you need to do is go to the MIT
> > site and download the latest source distribution.  That will include,
> > among other things, some TeX documentation which is pretty complete.
> >
> > Now is it accurate?  I do know that it documents a
> > get-tgt-with-password type function that exists, but is different
> > from the function actually used by either NetBSD/Heimdal kinit or MIT
> > kinit (which are different from each other as well).  In other words
> > just because MIT has more documentation than Heimdal doesn't mean
> > it's better. |-(
> >
> > What I intend to do in my "copious free time" is try lifting code
> > from the MIT kinit source and seeing if I can get that to work.  I
> > was not successful in getting the documented routine to work.
> >
> > I also looked at the GSSAPI documentation from Sun and it appears
> > that that API assumes you already have a tgt (unless you're a
> > server).  I think SASL wraps GSSAPI so that wouldn't solve the
> > problem either.
> > --
> > The opinions expressed in this message are mine,
> > not those of Caltech, JPL, NASA, or the US Government.
> > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> --
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444