Re: [Perlgssapi-users] context init without exising cache
Brought to you by:
achimgrolms
Menu
▾
▴
Re: [Perlgssapi-users] context init without exising cache
|
From: Stijn De W. <sti...@ug...> - 2016-10-13 11:46:47
|
hi achim,
thanks for clarifying.
yes, this works, eg on an el7 box (the script has only perl-GSSAPI, no
kinit)
> [root@fqdn tmp]# rm -Rf /tmp/x1/
> [root@fqdn tmp]# KRB5CCNAME=DIR:/tmp/x1 klist -A
> [root@fqdn tmp]# ./getcred_hostbased_n2205.pl
> verify with KRB5CCNAME=DIR:/tmp/x1 klist -A
> ENV{KRB5CCNAME} DIR:/tmp/x1
>
> using Name host/fqd...@HP...
> Security context's time to live 86400 secs
> seems everything is fine, type klist to see the ticket
> [root@fqdn tmp]# KRB5CCNAME=DIR:/tmp/x1 klist -A
> Ticket cache: DIR::/tmp/x1/tktvrgaxm
> Default principal: host/fqd...@HP...
>
> Valid starting Expires Service principal
> 10/13/2016 13:44:00 10/14/2016 13:44:00 krbtgt/REALM@REALM
> 10/13/2016 13:44:00 10/14/2016 13:44:00 host/fqdn@REALM
stijn
On 10/13/2016 11:58 AM, Achim Grolms wrote:
> On Thursday 13 October 2016, Stijn De Weirdt wrote:
>> as a followup question, if getting the initial TGT is not part of
>> (older?) perl-GSSAPI,
>
> The Protocol and API GSSAPI is a layer on top of Kerberos and _other_
> authentication "mechtypes".
>
> So there is no "get a TGT" call in the GSSAPI specification, because the
> concept "TGT" is "one layer below" and not in ther perl-wrapper around the C-
> interface as defined in RFC 2744:
>
>
> --------------------------------
> Perl Interface GSSAPI.pm
> --------------------------------
> GSSAPI-Implementation of RFC 2744,
> for Example Heimdal or MIT
> --------------------------------
> Kerberos5 implementation
> for Example Heimdal or MIT
> --------------------------------
>
>
>
>> does anyone have any idea why this works on el7?
>
> I have no idea why this works.
> To be sure: you have run kdestroy first to ensure there is no valid TGT from
> older requests?
>
>> is it a change in the krb5 libs (and if so, does anyone have any idea
>> which versions have this?)
>
> I have no idea.
>
>
>
>>
>> many thanks,
>>
>> stijn
>>
>> On 10/11/2016 08:16 AM, Stijn De Weirdt wrote:
>>> hi achim,
>>>
>>>> just to be sure: The output from both commands with the same
>>>> kerberos-config? Only the versions of Kerberos-libraries differ?
>>>
>>> the only difference on el7 is the
>>> "default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults.
>>> (but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also
>>> works)
>>>
>>>> In both cases you have run sucessfully the kinit before and have a valid
>>>> TGT?
>>>
>>> kinit -kt /etc/krb5.keytab works, but i'm trying to get the context
>>> without a valid TGT present (ie an empty cache). so the output is
>>> produced without a valid TGT present.
>>>
>>>
>>> stijn
>>>
>>>> Best Regards,
>>>> Achim
>>>>
>>>> On Monday 10 October 2016, Stijn De Weirdt wrote:
>>>>> hi all,
>>>>>
>>>>> following the example code in
>>>>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm
>>>>> i manage to create and list the credentials on a system were no cache
>>>>> existed before on centos7 (perl-5.16.3-286.el7.x86_64
>>>>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64)
>>>>>
>>>>> running with KRB5_TRACE=/dev/stdout, i get
>>>>>
>>>>>> using Name host/fqdn@REALM
>>>>>> Security context's time to live 74391 secs
>>>>>> seems everything is fine, type klist to see the ticket
>>>>>>
>>>>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM ->
>>>>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408]
>>>>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from
>>>>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408]
>>>>>> 1476125005.968609: Creating authenticator for host/fqdn@REALM ->
>>>>>> host/fqdn@REALM, seqnum 252462246, subkey aes256-cts/CBEE, session
>>>>>> key aes256-cts/BB8B
>>>>>
>>>>> and afterwards klist shows expected
>>>>>
>>>>> (fqdn and REALM are replaced)
>>>>>
>>>>>
>>>>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64
>>>>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64),
>>>>> i get
>>>>>
>>>>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for
>>>>>> server principal host/fqdn@REALM
>>>>>>
>>>>>> using Name host/fqdn@REALM
>>>>>>
>>>>>> Errors: Unspecified GSS failure. Minor code may provide more
>>>>>> information Credentials cache file '/tmp/krb5cc_0' not found
>>>>>> major 851968 minor 2529639107
>>>>>
>>>>> my question is: what GSSAPI and/or krb5 version is required to be able
>>>>> to create a credential cache where non-existed before?
>>>>>
>>>>> or can someone shed some light on the error above?
>>>>>
>>>>> many thanks,
>>>>>
>>>>> stijn
>>>>>
>>>>> -----------------------------------------------------------------------
>>>>> ---- --- Check out the vibrant tech community on one of the world's
>>>>> most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> Perlgssapi-users mailing list
>>>>> Per...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>>>
>>> -------------------------------------------------------------------------
>>> ----- Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Perlgssapi-users mailing list
>>> Per...@li...
>>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>>
>> ---------------------------------------------------------------------------
>> --- Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Perlgssapi-users mailing list
>> Per...@li...
>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>
>
|
