Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

One Bell System - it used to work before they installed the Dimension!


devel / comp.protocols.kerberos / Re: Trouble Accessing API Credential Cache in C++ Kerberos Integration on macOS

SubjectAuthor
o Re: Trouble Accessing API Credential Cache in C++ KerberosKen Hornstein

1
Re: Trouble Accessing API Credential Cache in C++ Kerberos Integration on macOS

<mailman.41.1698757811.2263420.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=418&group=comp.protocols.kerberos#418

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: Trouble Accessing API Credential Cache in C++ Kerberos
Integration on macOS
Date: Tue, 31 Oct 2023 09:09:35 -0400
Organization: TNet Consulting
Lines: 42
Message-ID: <mailman.41.1698757811.2263420.kerberos@mit.edu>
References: <ZRAP278MB00800FE78C5E0C8498F61968DAA0A@ZRAP278MB0080.CHEP278.PROD.OUTLOOK.COM>
<202310311309.39VD9Z8c007774@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="29880"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
To: Vincent Le Bourlot <vlb@starqube.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=n0tLNAD+;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=oQn2L4UK
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698757806; cv=pass;
b=NY3GmRIPyAT+FJmPYTFFN+CDWcy+LWVAwWt+F2ofg7VQt5hVuOTNxoQkL3H+osMjF3KaNMuDnw9EWykkKnvwCPAceAzmchH3z69QpjX2OfBg3k8cFydpzHk4O4uoBqIE5p0EjPxGW3kbdD4aRiLniII8SM8npTEbVuqWO/gGtLz3sfy5aOGiPlvmC9do+Qlm1sh7RmJGqr9YPdfovyFJSplWsDOqEWODHBbSryzgaTHwpsKlpxsga9ds+Da2/r+xaWW6REk67Kw38oC1U4c4FBcUJQojBCtaOTp7Yscud0fXEXQrg0kvQdvGs1uFDksWaeQmVlfcYMMKwBN20NsacA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698757806;
c=relaxed/relaxed; bh=vPlilgV31NyB+Z2Z3QfZ8YJAg2r5QY64R/dxaJazzrw=;
h=Message-ID:From:Subject:MIME-Version:Content-Type:Date;
b=Lrfg8I9FIMPqmrl0+qoBfi6csACy5hY89nw09fmhTJkP3D21PaT57DDYnh+I8fJ4smfZGrKsXA+My/ocFjmhkUbk4rfz4BgHPuflzPmPXSTEPLYQAFLhdQwPgw+iZF4eUahUYJ/GQTFGa1eM6mfvf3y8ymZsBRFfiGv3gXcg+u2Da+AGq2H9k479vaNUUZu+Bb+PCT1skIf4RY7i/vw1huWri0jTHSzlNYk9447YkQFthLUPBpiZiBMs5y8VlvGIaSCIWbOT3a6mvIZeCS0FUem7OVpwgPs6YxS+HxOts/Hjyo6slneZHpcxStQPyz7hk3WoIgGaysvOYkwFIEptLQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=n0tLNAD+;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=oQn2L4UK
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=n0tLNAD+;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=oQn2L4UK
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=iP5Q+L1yYK0hXagCoWj1hvVHI404K2f5Y2h8rgBxmUCz1A+/+++hLBI7N/zjim5EN++1GEyP/HjTdMpnt1fxZBhClCqFrViLTQyqic9w2grPrJywdNgOBbKftIHGbsK+LcuV0aiCwxpXZKnVBWQDMq0eD6OQ5LhkB46LpbWozOupoOwFWVErZXjf3Wu4Gi/gQJ/QuMKP2Zf6qXLr64GHqZjLdkcDwldBzWzduUJ6dXDhcIkWa62LwWfFGTgmiGb4A3XpfELSwf5dbL7EDmsykGqzASO7dl814uT/s5Y2EQ74hwdGfPngiLLr+KpcmPKF7dMmrEHsel3i5DpGdDZmpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=vPlilgV31NyB+Z2Z3QfZ8YJAg2r5QY64R/dxaJazzrw=;
b=EMr9DtSbjE/g84VNQUjcdfj4biu/CJ0gvpQaxU9tOs5TBi93H4OHJcoLEs9kA7EeXBx40cCUtSWh7sXX6s7r/70gIg7RBzeTxEyRWSdowkA6uE3okz6+ouNWiZ748Jvtk8jEkDRy3fkcYXPsQHIDzQj3xeGa/hylY6DoFzTz0A27zEVJpW7MdinH7SGRlboSpiFW1BHYCYPE0uqtJE5Al4k2sXwKj1KjmIn77fKbSvap7sKf43D2GFqevXfFYuf+bPEg0CizLYRnHJmxFxL7/8AAOXuvjywA9lC86l6sKPxikFVJxR1T7s3D1zow3nDVDvvPy5/fwz1+0gNGQjyL0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=vPlilgV31NyB+Z2Z3QfZ8YJAg2r5QY64R/dxaJazzrw=;
b=n0tLNAD+kCeGB7av/bah+z7qxP3QagjIavVoD1OeNFPr9NxXexBkXJItp5GzX+nw+4UP04XUO0Nmg8SsLWtz+vPQSyL/MNJeiCEttFzisCIrVv+DamTtXlEPa86oK6K09c39n6EVX412UgoS+Z6toSLd4Ilp97aIYvWSYErYhAM=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: content-transfer-encoding : date; s=s2.dkim;
bh=vPlilgV31NyB+Z2Z3QfZ8YJAg2r5QY64R/dxaJazzrw=;
b=oQn2L4UKXvzWtaMxPv1K5jlKsdIYe+JUON9foa+BJYAL//WZsjozKIaDhxj1mARqrttn
2GB5OiouzE2Nc4oVyQwK7FefdGLcrOvZkEFUUhcnj8lITjIGS2DW86ZRKJxGgSt1qfXt
bJLQPVOrLbeajOqICpvBFDz3x3M/hyBGacphaTEiTgWHLXvsZp9EJ7DZCeFtr9il/TYt
xutuFuQl/be25LMayo4YVAjzee3F2rpsqTi2Gh6nb56uah7Q0tVa3sHd+8d9onAYxWqJ
Yb+TmJxoG3Fg63K7FfCCGCtPwIuvbrZOr/9wWbbV3EeEgUuoqojm02D4+eii4NUlMrU9 uw==
In-Reply-To: <ZRAP278MB00800FE78C5E0C8498F61968DAA0A@ZRAP278MB0080.CHEP278.PROD.OUTLOOK.COM>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL6PEPF0001AB58:EE_|MN0PR01MB7587:EE_
X-MS-Office365-Filtering-Correlation-Id: 390e027d-41e0-4f0b-71bb-08dbda12a227
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: BP132IMGOWHcpNhTE13U7ADHHbplLGH2q09nQkf4KEzIzes7GJVr0KMbJ8rOk/7z8GiiZlpkGV24HMhMwN9JvRp8HsI1Iz4hROiV2RWENnhWqqUbaTLfIEE73DUAsI2MMys2qI2d2L0HquQ/hoXabsC5u3P7FvYrGNOgyL+Psmf/Gz8K0/Q0rbOaZiRNrGFhysX681B9hkcOcah0lA7Uj6Rm5aQ+a0DhYvwCmUyyyOsF4L1ePeEnpxR/gNHx2RUo9WV6m4Rnlt5uetKv7ukNEvm9m1lIA7KaAQloWUircZM1+Z8EUICAYZu3Q1NRS8jLYCyQbQV1Huf8n+v+moHqWW0qu9+WzWD237H3zvq5A92/5XnsXhI8MVrxgcPfGywotTOB4CERMToawOxa/j9B6M/+ZbZrUQfqM0Jjrf8brbXITCFdovvIzdYHe0YfKEv3Die2Q6bcITnwf2oaHzeizTRJgZnbCsa0rjpKVmcl3kv5rP1xLTwF5gjG6KKa7Xz3cK+uhW/erJSPpUBCTsMzo7xgQscrkeYkNuH9A51DT5c4W+hI6fbNYMOZZ6qSO4QV0K1SghalFuDZD6bXNVpAxtewkTYE3JaD4UUvhd7nPsF4RPIM/AgcR/99jZ0X1MgOJr7S7chL+XIySBoxNhWGw5sp2Ty4fhbD2v/j0oyrlW4oGu9YmAqzDaJ4snyHbnCGucLWhIBXkHgax1eX8c8+gBy16d2bN1FoDrykWjhlyAXWu8Wz/+HVtaCPwOPdJzJ8
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(13230031)(4636009)(346002)(39860400002)(396003)(136003)(376002)(230173577357003)(230273577357003)(61400799006)(451199024)(48200799006)(64100799003)(2906002)(26005)(1076003)(86362001)(7636003)(356005)(336012)(426003)(83380400001)(498600001)(956004)(8676002)(6862004)(786003)(316002)(4326008)(5660300002)(70586007)(68406010);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Oct 2023 13:09:36.6567 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 390e027d-41e0-4f0b-71bb-08dbda12a227
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0001AB58.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN0PR01MB7587
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202310311309.39VD9Z8c007774@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <ZRAP278MB00800FE78C5E0C8498F61968DAA0A@ZRAP278MB0080.CHEP278.PROD.OUTLOOK.COM>
 by: Ken Hornstein - Tue, 31 Oct 2023 13:09 UTC

>I’m working on integrating kerberos authentication to my c++
>app. I’m developing on macos where the default credential cache is
>of type API:. Initializing a credential cache with KCM: results in
>a deprecation warning asking to use API: instead. My problem in the
>c++ app is that I cannot find any way to access the API: cache to use
>the (valid) credentials that are stored in it. The context is always
>using the KCM cache. Specifying the default name before trying the
>gss_init_sec_context doesn’t help… If I use the brew version of krb5
>(which is MIT instead of Heilmdal-apple I believe?) AND specifying the
>KCM cache, I manage to correctly initialize the security context. Thus
>my question: is there a way to use the default cache used by the default
>kinit on macos when coding with the MIT Kerberos and gss api?

In _general_ (and this is also true on MacOS X) if you simply take the
defaults you'll get the correct credential cache. Without doing any
GSSAPI gyrations the 'normal' way the default credential cache is found
is via the KRB5CCNAME environment variable and possibly the Kerberos
configuration file.

The situation on MacOS X is more complicated; normally you would never
use KCM: as a credential type there (definitely not with the Apple
Kerberos libraries). For a while KCM: would work _if_ you were linking
against MIT Kerberos libraries (and KCM would be the default if you
used MIT Kerberos, but normally you wouldn't have to explicitly specify
it). But as of Big Sur there was a change in the Heimdal Kerberos
libraries and the API credential cache was no longer interoperable with
the MIT Kerberos KCM credential cache. I submitted patches to MIT
Kerberos to interoperate with the Apple credential cache and they are
in the latest version of MIT Kerberos available via brew (1.21.2).
In that code it uses API: as the 'correct' credential cache name.

So what I would say is:

- Only in rare circumstances (older MIT Kerberos and pre-Big Sur OS X)
should you use KCM:
- Normally you shouldn't specify the default credential cache at all
and the 'right' thing should happen

If you give us more specifics on Kerberos and OS X versions we could work
out the details.

--Ken

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor