Re: [Perlgssapi-users] context init without exising cache
Brought to you by:
achimgrolms
From: Achim G. <ac...@gr...> - 2016-10-13 10:11:02
|
On Thursday 13 October 2016, Stijn De Weirdt wrote: > as a followup question, if getting the initial TGT is not part of > (older?) perl-GSSAPI, The Protocol and API GSSAPI is a layer on top of Kerberos and _other_ authentication "mechtypes". So there is no "get a TGT" call in the GSSAPI specification, because the concept "TGT" is "one layer below" and not in ther perl-wrapper around the C- interface as defined in RFC 2744: -------------------------------- Perl Interface GSSAPI.pm -------------------------------- GSSAPI-Implementation of RFC 2744, for Example Heimdal or MIT -------------------------------- Kerberos5 implementation for Example Heimdal or MIT -------------------------------- > does anyone have any idea why this works on el7? I have no idea why this works. To be sure: you have run kdestroy first to ensure there is no valid TGT from older requests? > is it a change in the krb5 libs (and if so, does anyone have any idea > which versions have this?) I have no idea. > > many thanks, > > stijn > > On 10/11/2016 08:16 AM, Stijn De Weirdt wrote: > > hi achim, > > > >> just to be sure: The output from both commands with the same > >> kerberos-config? Only the versions of Kerberos-libraries differ? > > > > the only difference on el7 is the > > "default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults. > > (but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also > > works) > > > >> In both cases you have run sucessfully the kinit before and have a valid > >> TGT? > > > > kinit -kt /etc/krb5.keytab works, but i'm trying to get the context > > without a valid TGT present (ie an empty cache). so the output is > > produced without a valid TGT present. > > > > > > stijn > > > >> Best Regards, > >> Achim > >> > >> On Monday 10 October 2016, Stijn De Weirdt wrote: > >>> hi all, > >>> > >>> following the example code in > >>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm > >>> i manage to create and list the credentials on a system were no cache > >>> existed before on centos7 (perl-5.16.3-286.el7.x86_64 > >>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64) > >>> > >>> running with KRB5_TRACE=/dev/stdout, i get > >>> > >>>> using Name host/fqdn@REALM > >>>> Security context's time to live 74391 secs > >>>> seems everything is fine, type klist to see the ticket > >>>> > >>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM -> > >>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408] > >>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from > >>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408] > >>>> 1476125005.968609: Creating authenticator for host/fqdn@REALM -> > >>>> host/fqdn@REALM, seqnum 252462246, subkey aes256-cts/CBEE, session > >>>> key aes256-cts/BB8B > >>> > >>> and afterwards klist shows expected > >>> > >>> (fqdn and REALM are replaced) > >>> > >>> > >>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64 > >>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64), > >>> i get > >>> > >>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for > >>>> server principal host/fqdn@REALM > >>>> > >>>> using Name host/fqdn@REALM > >>>> > >>>> Errors: Unspecified GSS failure. Minor code may provide more > >>>> information Credentials cache file '/tmp/krb5cc_0' not found > >>>> major 851968 minor 2529639107 > >>> > >>> my question is: what GSSAPI and/or krb5 version is required to be able > >>> to create a credential cache where non-existed before? > >>> > >>> or can someone shed some light on the error above? > >>> > >>> many thanks, > >>> > >>> stijn > >>> > >>> ----------------------------------------------------------------------- > >>> ---- --- Check out the vibrant tech community on one of the world's > >>> most engaging tech sites, SlashDot.org! http://sdm.link/slashdot > >>> _______________________________________________ > >>> Perlgssapi-users mailing list > >>> Per...@li... > >>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users > > > > ------------------------------------------------------------------------- > > ----- Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > _______________________________________________ > > Perlgssapi-users mailing list > > Per...@li... > > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users > > --------------------------------------------------------------------------- > --- Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Perlgssapi-users mailing list > Per...@li... > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users |