[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GSASL+Gnu GSS on Windows
From: |
Simon Josefsson |
Subject: |
Re: GSASL+Gnu GSS on Windows |
Date: |
Tue, 15 Jun 2010 09:51:45 +0200 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) |
Johan Larsson <address@hidden> writes:
> Thank you for your great reply, Simon. It contain a lot of valuable
> information.
>
>> What is missing is the glue to read the MIT ticket files in GSS/Shishi.
>> Just the information where the file is stored on Windows would help. On
>> GNU/Linux it is stored in /tmp/krb5cc*.
>
> By default, the MIT ccache is in non-swappable memory in Windows, although
> you can force it to be written to disk.
Then GSS/Shishi would need to be able to read the tickets from memory as
well... pointers on how to do this are appreciated, although I suspect
the priority should be to make it support the on-file variant first.
> As a test, since the GSSAPI is intended to be a standardized API, I removed
> the Gnu GSS "libgss-1.dll" mentioned above, and replaced it by the
> MIT-supplied "gssapi32.dll", renamed into "libgss-1.dll" (and included the
> rest of the MIT DLL:s in the path). The result was that when my application
> came to the point where it called the GSASL methods with the appropriate
> properties for the GSSAPI mechanism, the GSASL implementation managed to
> call those MIT GSSAPI DLL-routines, and the MIT Network Identity Manager was
> kicked into action, requested my authentication credentials, retrieved a TGT
> and then also retrieved exactly the service ticket I was asking for (it
> remained in the ccache until I killed it). Then my application crasched...
> But it feels like doable (maybe with a little communication with the MIT
> people) to get GSASL to work with MIT:s Windows GSSAPI-implementation.
Cool! Yes, if you get that far, then certainly it is likely only some
minor issue causing the crash.
> One thing I was thinking about is that the information to GSASL contains the
> service hostname, while the ccache contains a TGT with the realm name. The
> only mapping between server-/domain name and realm is in the Kerberos
> authentication client configuration file. Does that mean that the Gnu GSS
> (on Linux) does not only retrieve the MIT ccache, but also parses the
> configuration file?
Right now it does not. Once the functionality to parse ccache files has
been integrated, it should also read the configuration file. There is
already a GNU Shishi configuration token 'read-krb5conf' for this:
# Read MIT or Heimdal configuration file for the following parameters:
# default-realm
# realm-kdc
# server-realm
# kdc-timeout
# kdc-retries
# You can override these values by specifying alternate values below.
# Not implemented yet.
#read-krb5conf=/etc/krb5.conf
Hopefully I'll find some time to work on this during the summer...
/Simon