Using GSSAPI to Authenticate to AD - Kerberos

This is a discussion on Using GSSAPI to Authenticate to AD - Kerberos ; Hi, I want to authenticate an Active Directory User using GSSAPI. The code would be in C++. To be specific here is the scenario: 1] End user adopts/creates one or more Active Directory users using any of the AD integration ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Using GSSAPI to Authenticate to AD

  1. Using GSSAPI to Authenticate to AD

    Hi,

    I want to authenticate an Active Directory User using GSSAPI. The code
    would be in C++. To be specific here is the scenario:

    1] End user adopts/creates one or more Active Directory users using
    any of the AD integration packages on Linux.
    2] In my executable, which would be always running as root, I find out
    that I need to use AD user and authenticate using GSSAPI
    3] I cannot impersonate as the user because that would change user
    context of whole process.
    4] Therefore, I need to somehow find out whether there is already a
    ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
    GSSAPI: GSSAPI::Name->import?)
    5] If not, process would obtain one.
    6] Get the ticket and initialize the security context (Win32SDK:
    InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
    7] Get the token and send it for authentication

    If the process is running in the user context which needs to be
    authenticated, it's easier and I have perl implemenation of it. But in
    this case, since process will always be running as root, I don't know
    if there is a way I can know/get ticket for authentication.

    Is there a sample/example that can, at least in parts if not
    completely, illustrate how this can be done using C/C++ somewhere?

    I found one link on MSDN but don't know whether that's the entire flow/
    applicable: http://msdn.microsoft.com/en-us/library/ms995352.aspx

    Any comments would be welcome.

    Thanks in advance,
    -Neel.

  2. Re: Using GSSAPI to Authenticate to AD

    On Aug 27, 1:53*pm, neelsm...@rediffmail.com wrote:
    > Hi,
    >
    > I want to authenticate an Active Directory User using GSSAPI. The code
    > would be in C++. To be specific here is the scenario:
    >
    > 1] End user adopts/creates one or more Active Directory users using
    > any of the AD integration packages on Linux.
    > 2] In my executable, which would be always running as root, I find out
    > that I need to use AD user and authenticate using GSSAPI
    > 3] I cannot impersonate as the user because that would change user
    > context of whole process.
    > 4] Therefore, I need to somehow find out whether there is already a
    > ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
    > GSSAPI: GSSAPI::Name->import?)
    > 5] If not, process would obtain one.
    > 6] Get the ticket and initialize the security context (Win32SDK:
    > InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
    > 7] Get the token and send it for authentication
    >
    > If the process is running in the user context which needs to be
    > authenticated, it's easier and I have perl implemenation of it. But in
    > this case, since process will always be running as root, I don't know
    > if there is a way I can know/get ticket for authentication.
    >
    > Is there a sample/example that can, at least in parts if not
    > completely, illustrate how this can be done using C/C++ somewhere?
    >
    > I found one link on MSDN but don't know whether that's the entire flow/
    > applicable:http://msdn.microsoft.com/en-us/library/ms995352.aspx
    >
    > Any comments would be welcome.
    >
    > Thanks in advance,
    > -Neel.



    After searching for the answer, I believe the question above can be
    shortened to:
    How can I acquire handle to credentials of a different user than the
    one process running as, without impersonating that user?

    I found this post:
    http://groups.google.co.in/group/com...09a9d4ee799b04

    It mentions about setting KRB5CCNAME before calling gss_acquire_cred
    which may be simple but that raises couple of questions:
    - If I running a multi threaded application each thread needing to set
    KRB5CCNAME so that it can call gss_acquire_cred, it will affect the
    application. Is there a way to let gss_acquire_cred/
    gss_init_sec_context know which credential cache to use without
    blocking the whole app?

    - Even though I can specify which credential cache file name to use
    from within my app, any external "kinit" calls will still create
    different files. Is there an api where I can specify what user I need
    to get ticket of if already created?

    Again, any comments will be welcome.

    Thanks,
    -Neel.

  3. Re: Using GSSAPI to Authenticate to AD

    On Wed, Aug 27, 2008 at 4:53 AM, wrote:
    > Hi,
    >
    > I want to authenticate an Active Directory User using GSSAPI. The code
    > would be in C++. To be specific here is the scenario:
    >
    > 1] End user adopts/creates one or more Active Directory users using
    > any of the AD integration packages on Linux.
    > 2] In my executable, which would be always running as root, I find out
    > that I need to use AD user and authenticate using GSSAPI
    > 3] I cannot impersonate as the user because that would change user
    > context of whole process.
    > 4] Therefore, I need to somehow find out whether there is already a
    > ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
    > GSSAPI: GSSAPI::Name->import?)
    > 5] If not, process would obtain one.
    > 6] Get the ticket and initialize the security context (Win32SDK:
    > InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
    > 7] Get the token and send it for authentication
    >
    > If the process is running in the user context which needs to be
    > authenticated, it's easier and I have perl implemenation of it. But in
    > this case, since process will always be running as root, I don't know
    > if there is a way I can know/get ticket for authentication.
    >
    > Is there a sample/example that can, at least in parts if not
    > completely, illustrate how this can be done using C/C++ somewhere?
    >
    > I found one link on MSDN but don't know whether that's the entire flow/
    > applicable: http://msdn.microsoft.com/en-us/library/ms995352.aspx
    >
    > Any comments would be welcome.


    GSSAPI just handles authentication. That's not terribly difficult to
    do in C++ but it's not clear how you get from GSSAPI authentication to
    creating users "using any of the AD integration packages on Linux".
    There are a lot of details to creating an application like that in
    Linux. It's a lot harder than it looks.

    Incidentally there is a product called Plexcel that has worked out all
    of these details (see the link in my signature - it's also free for up
    to 25 users). With the Plexcel PHP extension you can easily create a
    web page that will authenticate someone using SPNEGO (or explicit
    Kerberos login) and then use the delegated credential to create users,
    change passwords, etc [1]. Or you can do it from the commandline. In
    fact I have a very nice little Plexcel commandline script for creating
    users that a wrote for someone else that I would be happy to give you.
    If you want a copy, or if you have any questions about Plexcel feel
    free to contact me directly through IOPLEX Software support.

    Mike

    [1] To give you an idea of what the code would look like look at the
    example on this page:
    http://www.ioplex.com/api/plexcel_add_object.html

    --
    Michael B Allen
    PHP Active Directory SPNEGO SSO
    http://www.ioplex.com/

  4. Re: Using GSSAPI to Authenticate to AD

    On Aug 27, 9:39*pm, "Michael B Allen" wrote:
    > On Wed, Aug 27, 2008 at 4:53 AM, * wrote:
    > > Hi,

    >
    > > I want to authenticate an Active Directory User using GSSAPI. The code
    > > would be in C++. To be specific here is the scenario:

    >
    > > 1] End user adopts/creates one or more Active Directory users using
    > > any of the AD integration packages on Linux.
    > > 2] In my executable, which would be always running as root, I find out
    > > that I need to use AD user and authenticate using GSSAPI
    > > 3] I cannot impersonate as the user because that would change user
    > > context of whole process.
    > > 4] Therefore, I need to somehow find out whether there is already a
    > > ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
    > > GSSAPI: GSSAPI::Name->import?)
    > > 5] If not, process would obtain one.
    > > 6] Get the ticket and initialize the security context (Win32SDK:
    > > InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
    > > 7] Get the token and send it for authentication

    >
    > > If the process is running in the user context which needs to be
    > > authenticated, it's easier and I have perl implemenation of it. But in
    > > this case, since process will always be running as root, I don't know
    > > if there is a way I can know/get ticket for authentication.

    >
    > > Is there a sample/example that can, at least in parts if not
    > > completely, illustrate how this can be done using C/C++ somewhere?

    >
    > > I found one link on MSDN but don't know whether that's the entire flow/
    > > applicable:http://msdn.microsoft.com/en-us/library/ms995352.aspx

    >
    > > Any comments would be welcome.

    >
    > GSSAPI just handles authentication. That's not terribly difficult to
    > do in C++ but it's not clear how you get from GSSAPI authentication to
    > creating users "using any of the AD integration packages on Linux".
    > There are a lot of details to creating an application like that in
    > Linux. It's a lot harder than it looks.


    Thanks for responding. I think I couldn't explain very clearly. The
    actual importing of AD users to Linux is done by other applications
    and there are lot of them out there. My question was about post user
    import. For example:

    - If there are already userA, userB and userC created on the linux
    machine which map to AD users (I do not need to know the mechanism how
    but just that they do map to AD users)
    - Now, how do I initialize the security context for userB if my
    process is running in root's context?

    I found one more thread about this :
    http://groups.google.co.in/group/com...3d8914af3befd4

    As mentioned in the thread above, it is possible to switch to
    different user security context using gss_krb5_ccache_name. There are
    problems there as well though:

    - If you want switch user contexts multiple times, in multiple
    threads, application's performance gets affected because initializing
    security context (or one of the steps in it) is a lengthy operation -
    on my setup it takes almost 5 seconds.
    - I believe the switch has to be synchronized so that unless
    gss_init_sec_context in one thread completes, I cannot call
    gss_krb5_ccache_name from anywhere else in my application - that
    increases the delay in multi threaded application even more.

    That was the reason why I wanted to know whether gss_init_sec_context
    somehow accepts a local parameter so that initializing security
    contexts of different users can be indepenent of each other.

    Thanks again,
    -Neel.

    >
    > Incidentally there is a product called Plexcel that has worked out all
    > of these details (see the link in my signature - it's also free for up
    > to 25 users). With the Plexcel PHP extension you can easily create a
    > web page that will authenticate someone using SPNEGO (or explicit
    > Kerberos login) and then use the delegated credential to create users,
    > change passwords, etc [1]. Or you can do it from the commandline. In
    > fact I have a very nice little Plexcel commandline script for creating
    > users that a wrote for someone else that I would be happy to give you.
    > If you want a copy, or if you have any questions about Plexcel feel
    > free to contact me directly through IOPLEX Software support.
    >
    > Mike
    >
    > [1] To give you an idea of what the code would look like look at the
    > example on this page:http://www.ioplex.com/api/plexcel_add_object.html
    >
    > --
    > Michael B Allen
    > PHP Active Directory SPNEGO SSOhttp://www.ioplex.com/- Hide quoted text -
    >
    > - Show quoted text -



  5. Re: Using GSSAPI to Authenticate to AD

    On Thu, Aug 28, 2008 at 9:12 AM, wrote:
    > - Now, how do I initialize the security context for userB if my
    > process is running in root's context?
    >
    > I found one more thread about this :
    > http://groups.google.co.in/group/com...3d8914af3befd4
    >
    > As mentioned in the thread above, it is possible to switch to
    > different user security context using gss_krb5_ccache_name. There are
    > problems there as well though:
    >
    > - If you want switch user contexts multiple times, in multiple
    > threads, application's performance gets affected because initializing
    > security context (or one of the steps in it) is a lengthy operation -
    > on my setup it takes almost 5 seconds.
    > - I believe the switch has to be synchronized so that unless
    > gss_init_sec_context in one thread completes, I cannot call
    > gss_krb5_ccache_name from anywhere else in my application - that
    > increases the delay in multi threaded application even more.
    >
    > That was the reason why I wanted to know whether gss_init_sec_context
    > somehow accepts a local parameter so that initializing security
    > contexts of different users can be indepenent of each other.


    The gss_init_sec_context function accepts a gss_cred_id_t parameter
    that represents the initiator credential. This credential can be
    obtained for an arbitrary account using the gss_acquire_cred function
    provided a credential for the desired account is available for the
    target mechanism.

    There is no need to change your identity with setuid unless you will
    be performing local operations that require the identity be a certain
    local account. GSSAPI has no knowledge of local accounts and never
    looks at the default identity of the user (however if no gss_cred_id_t
    is supplied at all, the underlying mechanism may use the local
    identity to guess where it might find credentials).

    Meaning, you want to export the KRB5CCNAME environment variable to
    point to a ccache file with credentials for the desired account. This
    assumes of course that there is such a credential. Unfortunately
    GSSAPI does not define how to acquire initial credentials. Like I said
    - there are a lot of details that are not handled by GSSAPI alone.

    Mike

    --
    Michael B Allen
    PHP Active Directory SPNEGO SSO
    http://www.ioplex.com/

+ Reply to Thread