1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • Re: Trouble Accessing API Credential Cache in C++ Kerberos Integration

    From Ken Hornstein@21:1/5 to Vincent Le Bourlot on Tue Oct 31 09:09:35 2023
    Copy: kerberos@mit.edu (kerberos@mit.edu)

    I’m working on integrating kerberos authentication to my c++
    app. I’m developing on macos where the default credential cache is
    of type API:. Initializing a credential cache with KCM: results in
    a deprecation warning asking to use API: instead. My problem in the
    c++ app is that I cannot find any way to access the API: cache to use
    the (valid) credentials that are stored in it. The context is always
    using the KCM cache. Specifying the default name before trying the >gss_init_sec_context doesn’t help… If I use the brew version of krb5 >(which is MIT instead of Heilmdal-apple I believe?) AND specifying the
    KCM cache, I manage to correctly initialize the security context. Thus
    my question: is there a way to use the default cache used by the default >kinit on macos when coding with the MIT Kerberos and gss api?

    In _general_ (and this is also true on MacOS X) if you simply take the
    defaults you'll get the correct credential cache. Without doing any
    GSSAPI gyrations the 'normal' way the default credential cache is found
    is via the KRB5CCNAME environment variable and possibly the Kerberos configuration file.

    The situation on MacOS X is more complicated; normally you would never
    use KCM: as a credential type there (definitely not with the Apple
    Kerberos libraries). For a while KCM: would work _if_ you were linking
    against MIT Kerberos libraries (and KCM would be the default if you
    used MIT Kerberos, but normally you wouldn't have to explicitly specify
    it). But as of Big Sur there was a change in the Heimdal Kerberos
    libraries and the API credential cache was no longer interoperable with
    the MIT Kerberos KCM credential cache. I submitted patches to MIT
    Kerberos to interoperate with the Apple credential cache and they are
    in the latest version of MIT Kerberos available via brew (1.21.2).
    In that code it uses API: as the 'correct' credential cache name.

    So what I would say is:

    - Only in rare circumstances (older MIT Kerberos and pre-Big Sur OS X)
    should you use KCM:
    - Normally you shouldn't specify the default credential cache at all
    and the 'right' thing should happen

    If you give us more specifics on Kerberos and OS X versions we could work
    out the details.

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)