Skip Menu |
 

Subject: krb5_cc_get_principal prevents implementation of auto kinit dialogs in KfM/KfW
Download (untitled) / with headers
text/plain 1.3KiB
KfM and KfW both support the ability to display kinit dialogs
automatically under several circumstances:

* kclient api GetTicketGrantingTicket() when no tgt present
* krb4 krb_mk_req() call with service == "krbtgt" and no tgt present
* gssapi clients calling acquire_init_cred()
* krb5 clients calling krb5_fwd_tgt_creds() or krb5_sendauth()

However, there is a class of krb5 clients (such as sidecar, rcmd,
telnet) which all perform calls to krb5_cc_get_principal() prior to a
krb5_get_credentials() call. The krb5_cc_get_principal() call is used
to set the client portion of the krb5_creds structure which is used to
specify which credentials krb5_get_credentials() should obtain.

In the case where there is no ccache or no credentials in
the ccache, krb5_cc_get_principal() returns an error which in turn
prevents calls krb5_get_credentials, krb5_mk_req, or krb5_sendauth
from being made. krb5_cc_get_principal() looks like it would be a
nice place to place a hook for a kinit dialog until you realize that
krb5_cc_get_principal() is called at many times throughout the krb5
library for which we would certainly not desire a kinit dialog to
appear.

At the current time this is a limitation of what we can acheive.
I do not have a suggestion of how to address this limitation, but
if we have time the team should attempt to address it.
To: rt-comment@krbdev.mit.edu
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #2137] krb5_cc_get_principal prevents implementation of auto kinit dialogs in KfM/KfW
From: Sam Hartman <hartmans@mit.edu>
Date: Thu, 22 Jan 2004 03:07:21 -0500
RT-Send-Cc:
Do these applications actually need to be calling
krb5_cc_get_principal?
Date: Thu, 22 Jan 2004 06:22:11 -0500
From: Jeffrey Altman <jaltman@columbia.edu>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: rt-comment@krbdev.mit.edu, krb5-prs@MIT.EDU
Subject: Re: [krbdev.mit.edu #2137] krb5_cc_get_principal prevents implementation of auto kinit dialogs in KfM/KfW
RT-Send-Cc:
Download smime.p7s
application/x-pkcs7-signature 3.3KiB

Message body not shown because it is not plain text.

Yes.  They really have no choice.

Sam Hartman wrote:
Show quoted text
Do these applications actually need to be calling
krb5_cc_get_principal?
To: Jeffrey Altman <jaltman@columbia.edu>
Cc: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2137] krb5_cc_get_principal prevents implementation of auto kinit dialogs in KfM/KfW
From: Sam Hartman <hartmans@mit.edu>
Date: Thu, 22 Jan 2004 08:19:57 -0500
RT-Send-Cc:
Show quoted text
>>>>> "Jeffrey" == Jeffrey Altman <jaltman@columbia.edu> writes:

Show quoted text
Jeffrey> Yes. They really have no choice.

Perhaps we should fix this by giving them APIs that do have a choice.
Date: Thu, 22 Jan 2004 11:47:06 -0500
From: Jeffrey Altman <jaltman@columbia.edu>
To: Sam Hartman <hartmans@mit.edu>
Cc: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2137] krb5_cc_get_principal prevents implementation of auto kinit dialogs in KfM/KfW
RT-Send-Cc:
Download smime.p7s
application/x-pkcs7-signature 3.3KiB

Message body not shown because it is not plain text.

Sam Hartman wrote:
Show quoted text
"Jeffrey" == Jeffrey Altman <jaltman@columbia.edu> writes:

    Jeffrey>    Yes.  They really have no choice.

Perhaps we should fix this by giving them APIs that do have a choice.
Alexis and I agree that the team should meet to discuss
what functionality should be provided.  We can talk when
you get back.