directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject Re: Using Kerby kerb-client as an alternative for GSS-API for Kerberos Single Sign On.
Date Mon, 08 May 2017 12:32:01 GMT
Got your point. Please read credential cache utility codes and see if any API doing so.

Sent from iPhone

在 2017年5月8日,下午8:13,Christopher Lamb <christopher.lamb@ch.ibm.com<mailto:christopher.lamb@ch.ibm.com>>
写道:


Hi Kai

Browsing further through the kerby code, I think I need the opposite of KrbClientBase.storeTicket():
for instance a " Public TgtTicket retrieveCachedTicket(File ccacheFile)"

Let me see if I can knock something together based on storeTicket()....

Cheers

Chris

[Inactive hide details for "Zheng, Kai" ---08/05/2017 13:09:19---If I remember correctly,
it first generates a cache with a TGT,]"Zheng, Kai" ---08/05/2017 13:09:19---If I remember
correctly, it first generates a cache with a TGT, then do the login test with the tick

From: "Zheng, Kai" <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
To: "kerby@directory.apache.org<mailto:kerby@directory.apache.org>" <kerby@directory.apache.org<mailto:kerby@directory.apache.org>>
Date: 08/05/2017 13:09
Subject: RE: Using Kerby kerb-client as an alternative for GSS-API for Kerberos Single Sign
On.

________________________________



If I remember correctly, it first generates a cache with a TGT, then do the login test with
the ticket cache. In your case, you would need to know where is the cache file and point it
to Kerby client, as the test did.

Regards,
Kai

From: Christopher Lamb [mailto:christopher.lamb@ch.ibm.com]
Sent: Monday, May 08, 2017 7:05 PM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
Subject: RE: Using Kerby kerb-client as an alternative for GSS-API for Kerberos Single Sign
On.


Hi Kai

Thanks, example code is always best.

TicketCacheLoginTest looks like part of the answer, especially the storeTicket() function.
However (unless I have completely misread the test-case), the TGT is not retrieved from the
cache, it is only stored there.

In my Single-Sign-On case, the user already has a TGT, which was obtained on log in to the
workstation (or by kinit), prior to starting my java client. I am assuming it should be possible
for kerby to use the existing TGT.

Cheers

Chris

[Inactive hide details for "Zheng, Kai" ---08/05/2017 12:45:22---Hi Chris, Both dev list should
be OK as Kerby folks are also in]"Zheng, Kai" ---08/05/2017 12:45:22---Hi Chris, Both dev
list should be OK as Kerby folks are also in the parent one.

From: "Zheng, Kai" <kai.zheng@intel.com<mailto:kai.zheng@intel.com><mailto:kai.zheng@intel.com>>
To: "kerby@directory.apache.org<mailto:kerby@directory.apache.org><mailto:kerby@directory.apache.org>"
<kerby@directory.apache.org<mailto:kerby@directory.apache.org><mailto:kerby@directory.apache.org>>
Date: 08/05/2017 12:45
Subject: RE: Using Kerby kerb-client as an alternative for GSS-API for Kerberos Single Sign
On.

________________________________



Hi Chris,

Both dev list should be OK as Kerby folks are also in the parent one.

I haven't read your details fully (will do it later), but would make sure if you have already
checked out the test of TicketCacheLoginTest in the kerby code base. In one word, Kerby client
surely can consume and use a credential cache generated by other tools like MIT kinit. If
you see any issue, please report it.

Regards,
Kai

-----Original Message-----
From: Christopher Lamb [mailto:christopher.lamb@ch.ibm.com]
Sent: Monday, May 08, 2017 5:09 PM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org><mailto:kerby@directory.apache.org>
Subject: Using Kerby kerb-client as an alternative for GSS-API for Kerberos Single Sign On.


Hi all

I hope this is the appropriate mailing list for this type of question. Or would it be better
on the Directory Developers’ list?

I am considering using Kerby kerb-client as an alternative to Java GSS-API for a Java client
application in a Kerberos single sign on environment.

In my proof of concept setup I am using FreeIPA clients and servers.  When the user logs on
to his workstation he is authenticated by the FreeIPA KDC, and  gets a TGT which is cached
in the default credentials cache. When he wishes to access services from the application server
(which is a Service Principal), the TGT in the credentials cache is used to get a Service
Ticket, which should also be cached in the credentials cache for future use.

With a throwaway Python GSS-API client this worked perfectly. "klist" shows both the TGT and
the SGT in the credentials cache. But trying to do the same thing with Java GSS-API I ran
into problems. While the Client is able to retrieve a Service Ticket, and thus login to the
Service Principal, the SGT is not cached. Thus every request to the Service Principal requires
KDC interaction. Not good.

In my search for alternatives, I came across Kerby kerb-client, and am experimenting with
it, but so far without success despite much debugging and scanning of Kerby code.

Here is the question: Can the Kerby kerb-client be configured to access an existing Kerberos
credential cache (as opposed to a KeyTab), and to use the TGT ticket within, and to cache
new service tickets? In this case the existing credentials cache is from

So far I have found no config to do so. Searching through the Kerby code I find references
to things like  ‘credCache’, ‘KRB5_CACHE’, ‘ARMOR_CACHE’.
However in AbstractInternalKrbClient.requestTGT() I can’t find any USE_xxx options that
seem appropriate for using a credentials cache.

Have I missed something obvious? If so, which options should I be configuring?

Thanks

Chris






Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message