Search code examples
c++kerberosgssapi

GSSAPI get username password and build credential not working for non logged in user

I am developing a C++ client that uses GSSAPI to login to a server. For the credentials I am using gss methods to build a credential object(explained in code below). My code for this part is

#include <gssapi.h>             
#include <gssapi_krb5.h>
#include <gssapi/gssapi_generic.h>
#include <gssapi/gssapi_ext.h>

gss_cred_id_t method_to_get_cred(){

      char *username = "[email protected]";
      char *password = "correctpassword";
      gss_buffer_desc send_tok;
      OM_uint32 maj_stat, min_stat;
      gss_cred_id_t cred;
      gss_name_t gss_username;
      gss_OID_set_desc mechs, *mechsp = GSS_C_NO_OID_SET;
      gss_buffer_desc pwbuf;

      send_tok.value = username;
      send_tok.length = strlen(username);

      maj_stat = gss_import_name(&min_stat, &send_tok,(
             gss_OID) gss_nt_user_name,&gss_username);
      if (maj_stat != GSS_S_COMPLETE) {
         printf("parsing client name %d %d \n ", maj_stat, min_stat);
         return -1;
        }
        printf("Maj stat after gss_import_name: %d \n", maj_stat);
         printf("Acquired username \n");
     //getting username complete

     //getting password

      pwbuf.value = password;
      pwbuf.length = strlen(password);

      maj_stat = gss_acquire_cred_with_password(&min_stat,
          gss_username,
          &pwbuf, 0,
          mechsp, GSS_C_INITIATE,
          &cred, NULL, NULL);
          printf("Acquired password \n");


      //getting password complete
       printf("Maj stat and min stat after gss_acquire_cred_with_password: %d %d\n",     maj_stat, min_stat);
           return(cred);
}

Now i am printing the major status(gssapi level status) and minor status(mechanism level status)- which is Kerberos in this case. When i am giving the logged in user(i.e. asanyal) the status printf message gives 0 for both values(all goes well)

However when I use a different username(this one is registered in the Active Directory but I am not logged in as him) I am getting

majstat = 851968 and minstat = -1765328243

Further investigation revealed that this minor status message corresponds to the error 

KRB5_CC_NOTFOUND    Matching credential not found

I am certain I am passing correct credentials(username password) for the non logged in users)

Is this something wrong with GSSAPI internally(maybe its unable to get a ticket or something) or am I making some mistake?

Configuration used : Windows Active Directory (Windows Server 2008) and MIT kerberos libraries - version 4.0.1

Solution

  • Ok i figured it out, the GSS-API does not include any API calls to directly obtain TGT, ST. For that you need the krb api(in case of underlying kerberos mechanism). Typically you would need a function like:-

    krb5_get_init_creds_password(context,&creds,principal,conn->passwd,NULL,NULL,NULL,NULL,opts))            //these are the arguments i specified in my program

    along with certain context, credential cache and principal initialization parts.