[Freeipa-devel] Notes on server to server sasl

Rich Megginson rmeggins at redhat.com
Fri Oct 31 18:36:19 UTC 2008 

Simo Sorce wrote:
> On Fri, 2008-10-31 at 10:26 -0600, Rich Megginson wrote:
>   
>> Simo Sorce wrote:
>>     
>>> On Fri, 2008-10-31 at 09:18 -0600, Rich Megginson wrote:
>>>
>>>   
>>>       
>>>>> The credential cache contains the expiration date of the credentials,
>>>>> you should be able to check without contacting the KDC (and we do not
>>>>> want to contact the KDC at all, unless we need to acquire a ticket).
>>>>>   
>>>>>       
>>>>>           
>>>> So if current datetime < cred expiration datetime, then the creds are 
>>>> ok?  No other validation needs to be done?
>>>>     
>>>>         
>>> Usually it is safe to assume so.
>>> The only exception is someone generating a new key for the service, and
>>> replacing the service keytab instead of appending to it (so that the
>>> older key material with the previous kvno is not longer available to the
>>> server which cannot verify older credentials still valid).
>>>
>>> In this case you should get back an auth error. You may decide at this
>>> point to discard the current ticket and try to acquire a new one.
>>>   
>>>       
>> Ok.  Hmm - seems that my code will need to add some further complexity.  
>> Right now it just takes the first entry from the server's keytab file 
>> and uses that for authentication.  Is it possible the keytab may contain 
>> entries that cannot/should not be used?
>>     
>
> You manually parse the keytab ?
>   
I need a principal to pass to krb5_get_init_creds_keytab.  I do not have 
a way for the user to specify the principal.  I need a principal that 
actually exists in the keytab, so I use 
krb5_kt_start_seq_get/krb5_kt_next_entry/krb5_kt_end_seq_get to iterate 
the keytab entries, grabbing the first principal.
> In a keytab you can have entries for many different services,
For the directory server service keytab?  It will have principals other 
than ldap/fqdn at REALM?
> as well
> multiple entries for the same service but with different kvno.
> The highest kvno is the newest one and should be the one to be used.
> Older keys can be used only to accept valid tickets in the time-frame
> that the old keys are still valid.
>   
eek - then how is the code supposed to know which principal to use?
> Simo.
>
>

More information about the Freeipa-devel mailing list