Re: [Perlgssapi-users] context init without exising cache
Brought to you by:
achimgrolms
Menu
▾
▴
Re: [Perlgssapi-users] context init without exising cache
|
From: Achim G. <ac...@gr...> - 2016-10-13 10:11:02
|
On Thursday 13 October 2016, Stijn De Weirdt wrote:
> as a followup question, if getting the initial TGT is not part of
> (older?) perl-GSSAPI,
The Protocol and API GSSAPI is a layer on top of Kerberos and _other_
authentication "mechtypes".
So there is no "get a TGT" call in the GSSAPI specification, because the
concept "TGT" is "one layer below" and not in ther perl-wrapper around the C-
interface as defined in RFC 2744:
--------------------------------
Perl Interface GSSAPI.pm
--------------------------------
GSSAPI-Implementation of RFC 2744,
for Example Heimdal or MIT
--------------------------------
Kerberos5 implementation
for Example Heimdal or MIT
--------------------------------
> does anyone have any idea why this works on el7?
I have no idea why this works.
To be sure: you have run kdestroy first to ensure there is no valid TGT from
older requests?
> is it a change in the krb5 libs (and if so, does anyone have any idea
> which versions have this?)
I have no idea.
>
> many thanks,
>
> stijn
>
> On 10/11/2016 08:16 AM, Stijn De Weirdt wrote:
> > hi achim,
> >
> >> just to be sure: The output from both commands with the same
> >> kerberos-config? Only the versions of Kerberos-libraries differ?
> >
> > the only difference on el7 is the
> > "default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults.
> > (but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also
> > works)
> >
> >> In both cases you have run sucessfully the kinit before and have a valid
> >> TGT?
> >
> > kinit -kt /etc/krb5.keytab works, but i'm trying to get the context
> > without a valid TGT present (ie an empty cache). so the output is
> > produced without a valid TGT present.
> >
> >
> > stijn
> >
> >> Best Regards,
> >> Achim
> >>
> >> On Monday 10 October 2016, Stijn De Weirdt wrote:
> >>> hi all,
> >>>
> >>> following the example code in
> >>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm
> >>> i manage to create and list the credentials on a system were no cache
> >>> existed before on centos7 (perl-5.16.3-286.el7.x86_64
> >>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64)
> >>>
> >>> running with KRB5_TRACE=/dev/stdout, i get
> >>>
> >>>> using Name host/fqdn@REALM
> >>>> Security context's time to live 74391 secs
> >>>> seems everything is fine, type klist to see the ticket
> >>>>
> >>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM ->
> >>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408]
> >>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from
> >>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408]
> >>>> 1476125005.968609: Creating authenticator for host/fqdn@REALM ->
> >>>> host/fqdn@REALM, seqnum 252462246, subkey aes256-cts/CBEE, session
> >>>> key aes256-cts/BB8B
> >>>
> >>> and afterwards klist shows expected
> >>>
> >>> (fqdn and REALM are replaced)
> >>>
> >>>
> >>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64
> >>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64),
> >>> i get
> >>>
> >>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for
> >>>> server principal host/fqdn@REALM
> >>>>
> >>>> using Name host/fqdn@REALM
> >>>>
> >>>> Errors: Unspecified GSS failure. Minor code may provide more
> >>>> information Credentials cache file '/tmp/krb5cc_0' not found
> >>>> major 851968 minor 2529639107
> >>>
> >>> my question is: what GSSAPI and/or krb5 version is required to be able
> >>> to create a credential cache where non-existed before?
> >>>
> >>> or can someone shed some light on the error above?
> >>>
> >>> many thanks,
> >>>
> >>> stijn
> >>>
> >>> -----------------------------------------------------------------------
> >>> ---- --- Check out the vibrant tech community on one of the world's
> >>> most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >>> _______________________________________________
> >>> Perlgssapi-users mailing list
> >>> Per...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
> >
> > -------------------------------------------------------------------------
> > ----- Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Perlgssapi-users mailing list
> > Per...@li...
> > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>
> ---------------------------------------------------------------------------
> --- Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Perlgssapi-users mailing list
> Per...@li...
> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
|
