Trouble Getting Ticket into Cache - Kerberos

This is a discussion on Trouble Getting Ticket into Cache - Kerberos ; Hello, I am new to Kerberos and am using it to authentication an application user to my PostgreSQL database. I have written a test C program to get a ticket into the cache. I've gotten the program, which is based ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Trouble Getting Ticket into Cache

  1. Trouble Getting Ticket into Cache

    Hello,

    I am new to Kerberos and am using it to authentication an application
    user to my PostgreSQL database. I have written a test C program to
    get a ticket into the cache. I've gotten the program, which is based
    largely on a set of API calls from Brian Tung's "Kerberos: A Network
    Authentication System", to compile and link but the executable always
    throws a SIGSEGV segmentation fault. I've run it through gdb and it
    always throws on krb5_get_in_tkt_with_password or
    krb5_get_in_tkt_with_keytab (depending on which I am using). The
    error text is "Failed to read a valid object file image from memory".

    I am able to get a ticket into cache from the command line using kinit
    -k -t /usr/lib/postgresql/8.2/etc/krb5.keytab application_user/
    my.domain@MY.REALM. Interestingly enough, when I try to "kinit
    application_user/my.domain@MY.REALM" and enter the password I get an
    incorrect password error. I have a notion that that has something to
    do with preauthentication, but do not have the time or resources to
    fully investigate. That's why I'm using "krb5_get_in_tkt_with_keytab"
    rather than "_with_password".

    I know that I am supposed to be using krb5_get_init_creds* but could
    not find enough background on the functions to substitute them.

    Can anyone give me any idea of what I may be doing wrong?

    Thanks much.

    Angus Atkins-Trimnell

    <<<< BEGIN CODE get_krb.c <<<<<<<<<<<


    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #define KRB5_DEFAULT_OPTIONS 0
    #define ENCTYPE_DES3_HMAC_SHA1 0x0010
    #define krb5_get_err_text(context,code) error_message(code)

    int main()
    {
    krb5_error_code retval;
    time_t curr_time;

    krb5_context context;
    retval = krb5_init_context(&context);
    if (retval)
    {
    return -1;
    }

    krb5_principal server;
    krb5_sname_to_principal(context,
    "my.domain",
    "postgres", KRB5_NT_SRV_HST,
    &server);

    krb5_principal client;
    krb5_sname_to_principal(context,
    "my.domain",
    "application_user", KRB5_NT_SRV_HST,
    &client);

    krb5_creds creds;
    krb5_kdc_rep *kdc_rep;
    krb5_ccache ccache;

    memset ((char *) &creds, 0, sizeof (creds));
    creds.client = client;
    creds.server = server;
    time(&curr_time);
    creds.times.starttime = curr_time;
    creds.times.endtime = curr_time + 600;
    krb5_get_in_tkt_with_keytab(context,
    KRB5_DEFAULT_OPTIONS,
    (krb5_address **) 0,
    (krb5_enctype *) 0,
    (krb5_preauthtype *) 0,
    (krb5_keytab *) "/usr/lib/postgresql/8.2/etc/krb5.keytab",
    (krb5_ccache) 0,
    creds, &kdc_rep);

    return 0;
    }

    <<<< END CODE get_krb.c <<<<<<<<<<<

  2. Re: Trouble Getting Ticket into Cache

    On Feb 17, 2008, at 17:47, trimkins@sbcglobal.net wrote:
    > krb5_get_in_tkt_with_keytab(context,
    > KRB5_DEFAULT_OPTIONS,
    > (krb5_address **) 0,
    > (krb5_enctype *) 0,
    > (krb5_preauthtype *) 0,
    > (krb5_keytab *) "/usr/lib/postgresql/8.2/etc/krb5.keytab",
    > (krb5_ccache) 0,
    > creds, &kdc_rep);


    The keytab argument is not a pointer to krb5_keytab, it's a
    krb5_keytab, which is itself a pointer to a structure. You shouldn't
    be passing a string there. See, for example, krb5_kt_resolve, in
    krb5.h.


    --
    Ken Raeburn, Senior Programmer
    MIT Kerberos Consortium


  3. Re: Trouble Getting Ticket into Cache

    On Feb 17, 6:37 pm, Ken Raeburn wrote:
    > On Feb 17, 2008, at 17:47, trimk...@sbcglobal.net wrote:
    >
    > > krb5_get_in_tkt_with_keytab(context,
    > > KRB5_DEFAULT_OPTIONS,
    > > (krb5_address **) 0,
    > > (krb5_enctype *) 0,
    > > (krb5_preauthtype *) 0,
    > > (krb5_keytab *) "/usr/lib/postgresql/8.2/etc/krb5.keytab",
    > > (krb5_ccache) 0,
    > > creds, &kdc_rep);

    >
    > The keytab argument is not a pointer to krb5_keytab, it's a
    > krb5_keytab, which is itself a pointer to a structure. You shouldn't
    > be passing a string there. See, for example, krb5_kt_resolve, in
    > krb5.h.
    >
    > --
    > Ken Raeburn, Senior Programmer
    > MIT Kerberos Consortium


    Thank you. I was wondering about how I had coded that. I changed to
    code to use the function you recommended to get the krb5_keytab
    handle:

    krb5_keytab keytab;

    retval = krb5_kt_resolve(context, "FILE:/usr/lib/postgresql/8.2/etc/
    krb5.keytab", &keytab);
    if (retval != 0){
    return (1);
    }
    krb5_get_in_tkt_with_keytab(context,
    KRB5_DEFAULT_OPTIONS,
    (krb5_address **) 0,
    (krb5_enctype *) 0,
    (krb5_preauthtype *) 0,
    keytab,
    (krb5_ccache) 0,
    creds, &kdc_rep);

    Unfortunately, I am still getting the "Failed to read a valid file
    image from memory" error. I will look through krb.h to see if there
    may be any other preparatory functions that I am missing. In the
    meantime, if anyone has any ideas about where my code is going wrong,
    I'd be happy to hear them.

    SIncerely,

    Angus

  4. Converting KDC from DES

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I'm going to be moving our KDC to a new set of servers and a current
    release level of MIT K5 (going from 1.4.2 to 1.6.3). If it's feasible,
    I'd like to take this opportunity to move from DES to a better encryption
    algorithm for our KDCs.

    Questions:

    1. Can conversion to a new encryption algorithm be done non-disruptively
    to users? What about users whose passwords were set back in our MIT K4
    days (I'm not sure if we have any of those left - we've been on K5 for
    over 8 years - but it's possible we do).

    2. What are all the steps involved? Since I'll be moving everything to
    new machines, I'm willing to do more than I would if this were just a
    release upgrade of my existing Kerberos environment.

    3. Assuming this is all doable, any suggestions as to which encryption
    algorithm to use?

    Thanks.

    Mike

    __________________________________________________ _______________________
    Mike Friedman Information Services & Technology
    mikef@berkeley.edu 2484 Shattuck Avenue
    1-510-642-1410 University of California at Berkeley
    http://socrates.berkeley.edu/~mikef http://ist.berkeley.edu
    __________________________________________________ _______________________

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUBR7jfQ60bf1iNr4mCEQKmoACg3Ts3lxBkTU+IWxO7BwxbFY o1KCIAn2U0
    daWdGBewyOZ7nzXIptbtR6UM
    =iRyU
    -----END PGP SIGNATURE-----

  5. Converting KDC from DES

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    [Sorry if two copies of this get sent out. The first one had a return
    address other than the one with which I'm subscribed to this list, so I'm
    sending this second copy to be sure it gets through at all].

    I'm going to be moving our KDC to a new set of servers and a current
    release level of MIT K5 (going from 1.4.2 to 1.6.3). If it's feasible,
    I'd like to take this opportunity to move from DES to a better encryption
    algorithm for our KDCs.

    Questions:

    1. Can conversion to a new encryption algorithm be done non-disruptively
    to users? What about users whose passwords were set back in our MIT K4
    days (I'm not sure if we have any of those left - we've been on K5 for
    over 8 years - but it's possible we do).

    2. What are all the steps involved? Since I'll be moving everything to
    new machines, I'm willing to do more than I would if this were just a
    release upgrade of my existing Kerberos environment.

    3. Assuming this is all doable, any suggestions as to which encryption
    algorithm to use?

    Thanks.

    Mike

    __________________________________________________ _______________________
    Mike Friedman Information Services & Technology
    mikef@berkeley.edu 2484 Shattuck Avenue
    1-510-642-1410 University of California at Berkeley
    http://socrates.berkeley.edu/~mikef http://ist.berkeley.edu
    __________________________________________________ _______________________

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUBR7jkwK0bf1iNr4mCEQLikwCeMhk0dtacxqzhyvhq/vne+HGFZxYAoL+s
    ff+u5bRAwLbl1bQmt6U5yZsX
    =jPgu
    -----END PGP SIGNATURE-----

  6. Re: Trouble Getting Ticket into Cache

    On Feb 17, 2008, at 20:03, trimkins@sbcglobal.net wrote:
    > Unfortunately, I am still getting the "Failed to read a valid file
    > image from memory" error.


    That sounds like a GDB problem, not a Kerberos problem.


    --
    Ken Raeburn, Senior Programmer
    MIT Kerberos Consortium


  7. Re: Trouble Getting Ticket into Cache

    On Feb 17, 9:46 pm, Ken Raeburn wrote:
    > On Feb 17, 2008, at 20:03, trimk...@sbcglobal.net wrote:
    >
    > > Unfortunately, I am still getting the "Failed to read a valid file
    > > image from memory" error.

    >
    > That sounds like a GDB problem, not a Kerberos problem.
    >
    > --
    > Ken Raeburn, Senior Programmer
    > MIT Kerberos Consortium


    Thanks. I will investigate further.

    --Angus

  8. Re: Trouble Getting Ticket into Cache

    On Feb 18, 8:34 am, trimk...@sbcglobal.net wrote:
    > On Feb 17, 9:46 pm, Ken Raeburn wrote:
    >
    > > On Feb 17, 2008, at 20:03, trimk...@sbcglobal.net wrote:

    >
    > > > Unfortunately, I am still getting the "Failed to read a valid file
    > > > image from memory" error.

    >
    > > That sounds like a GDB problem, not a Kerberos problem.

    >
    > > --
    > > Ken Raeburn, Senior Programmer
    > > MIT Kerberos Consortium

    >
    > Thanks. I will investigate further.
    >
    > --Angus


    I poked around a little more with gdb and found that the complaint was
    that the init.c file was not found. Other WWW searching found that
    this file:
    "Provide(s) locking around the creation of the global
    krb5_context. Add(s) destruction/creation functions for the
    thread
    specific storage that the error string handling is using."

    This file seems to be linked largely with GSSAP; is it specific to
    GSSAPI? Would it possibly not be installed on a Kerberos V5
    installation?

    Thanks.

    --Angus

+ Reply to Thread