[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Easiest way to get service ticket after obtaining tgt

More information. I am very confused at this point:

Below you will see my source code, and the results, and the resulting klist. I have no idea what I could be doing wrong. (NOTE: if my mail client puts any "http://" stuff in, please ignore it)

   Thanks,
  - Jeremiah

-- source --

#include <stdio.h>
#include <string.h>
#include "krb5.h"

char *getKrb5ErrorString( signed long int errNum );

#define SERVER "ldap/realm2.com@REALM2.COM"

#define CLIENTNAME "username"
#define CLIENTREALM "REALM1.COM"
#define CLIENTPASSWORD "password"

int main( )
{
    krb5_context    krbcontext;
    krb5_principal  krbprincipal;
    krb5_ccache     krbcache;
    krb5_creds      krbcreds;
    memset( &krbcreds, 0, sizeof( krb5_creds ) );
 
    krb5_creds      increds;
    krb5_creds      *outcreds;
    krb5_creds      **tgtcreds;
    memset( &increds, 0, sizeof( krb5_creds ) );
  
    krb5_principal server;

    krb5_error_code kerr;
  
    int rc = -1;

    char *clientName = NULL;
    char *serverName = NULL;

    // get tgt, this works.
printf( "init context...\n" ); fflush( stdout );
    if ( kerr = krb5_init_context( &krbcontext ) )
        { rc = -2; goto f; }
printf( "make principal...\n" ); fflush( stdout );
    if ( kerr = krb5_make_principal( krbcontext, &krbprincipal, CLIENTREALM, CLIENTNAME, NULL ) )
        { rc = -3; goto f; }
printf( "getting tgt...\n" ); fflush( stdout );
    if ( kerr = krb5_get_init_creds_password( krbcontext, &krbcreds, krbprincipal, CLIENTPASSWORD, NULL, NULL, 0, NULL, NULL ) )
        { rc = -4; goto f; }

    // init cache, this works.
printf( "cc default...\n" ); fflush( stdout );
    if ( kerr = krb5_cc_default(krbcontext, &krbcache ) )
        { rc = -5; goto f; }
printf( "cc init...\n" ); fflush( stdout );
    if ( kerr = krb5_cc_initialize ( krbcontext, krbcache, krbcreds.client ) )
        { rc = -6; goto f; }

    // store tgt in cache, this works.
printf( "store creds in cc...\n" ); fflush ( stdout );
    if ( kerr = krb5_cc_store_cred( krbcontext, krbcache, &krbcreds ) )
        { rc = -7; goto f; }

printf( "parse name...\n" ); fflush ( stdout );
    if ( kerr = krb5_parse_name( krbcontext, SERVER, &server ) )
        { rc = -8; goto f; }
  
    increds.client = krbprincipal;
    increds.server = server;
printf( "unparse name...\n" ); fflush ( stdout );
    if ( kerr = krb5_unparse_name( krbcontext, krbprincipal, &clientName ) )
        { rc = -90; goto f; }
printf( "unparse name...\n" ); fflush ( stdout );
    if ( kerr = krb5_unparse_name( krbcontext, server, &serverName ) )
        { rc = -91; goto f; }
printf( "Printing clientName and serverName...\n" ); fflush ( stdout );
    printf( "client: %s\n", clientName );
    printf( "server: %s\n", serverName ); fflush( stdout );

    // get service ticket for ldap directory in LDAPREALM.COM.
    //
    // krb5_get_credentials() .. didnt work
    // krb5_get_cred_from_kdc() .. didnt work
    //
printf( "getting service ticket...\n" ); fflush( stdout );
//    if ( kerr = krb5_get_credentials( krbcontext, 0, krbcache, &increds, &outcreds ) )
    if ( kerr = krb5_get_cred_from_kdc( krbcontext, krbcache, &increds, &outcreds, &tgtcreds ) )
        { rc = -9; goto f; }
  
    // store service ticket in cache, never reached
printf( "store service ticket...\n" ); fflush( stdout );
    if ( kerr = krb5_cc_store_cred( krbcontext, krbcache, outcreds ) )
        { rc = -10; goto f; }

    printf( "SUCCESS\n" );
    return 0;
   
    f:

    printf( "FAILED! (step: %d)\n%s\n", rc, getKrb5ErrorString( kerr) );
    return -1;

}




 -- results --

init context...
make principal...
getting tgt...
cc default...
cc init...
store creds in cc...
parse name...
unparse name...
unparse name...
Printing clientName and serverName...
client: username@REALM1.COM
server: ldap/realm2.com@REALM2.COM
getting service ticket...
FAILED! (step: -9)
Server not found in Kerberos database.




 -- When I do a klist it shows this --

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: username@REALM1.COM

Valid starting     Expires            Service principal
10/14/05 11:00:20  10/14/05 21:00:20  krbtgt/REALM1.COM@REALM1.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached



On 10/14/05, Jeremiah Martell <inlovewithgod@gmail.com> wrote:
Nope, that's my mail client being too smart for me. I don't have the http:// in there. Just "LDAPREALM" plus a period "." plus the "COM"  :-)

 - Jeremiah



On 10/14/05, Buck Huppmann <buckh@pobox.com > wrote:
On Thu, Oct 13, 2005 at 04:14:30PM -0400, Jeremiah Martell wrote:
> This is still not working for me. An ethereal trace shows me trying to get a
> ticket for "krbtgt/.", which is really strange.

> // the following values are hard-coded for now.
> // make principal for server. works, but is it correct?
> krb5_make_principal( krbcontext, &server,
> " LDAPREALM.COM <http://LDAPREALM.COM>",
> "ldap/ldaprealm.com", NULL );

is this some sort of artifact of your MUA? or do you literally have
that ``<http://...>'' junk in the realm string? if so, then it's pos-
sible to imagine heimdal (or any implementation) getting confused and
trying to get a cross-realm TGT for the ``.'' realm, in order to get a
cross-realm TGT for the ``COM>'' realm, in order to get . . .




--
- Jeremiah
inlovewithGod@gmail.com