Search code examples
kerberossaslkerberos-delegationcyrus

Cyrus SASL and the Kerberos TGT


With Kerberos, successful authentication using kinit results in a locally-cached TGT that will be used for authentication to Kerberized services. Typically, this TGT is valid for one day so that the user only needs to provide their credentials once per day for all interactions with Kerberized services.

Say I write a client/server application that uses the Cyrus SASL implementation to authenticate users using the Kerberos mechanism. How does TGT caching work in this context? In other words, does the client-side cyrus library automatically keep track of the TGT so that future interactions with the server do not require user credentials? If so, is there any way to specify that the TGT that Cyrus obtains from the KDC be forwardable so that the client can interact with other Kerberized services?

Thanks for any tips!


Solution

  • As far as I know, the Cyrus SASL library does not obtain a TGT for the user – it doesn't even know the principal or password; instead it expects a TGT to already be present in the system's credential cache.

    So the answer is to use kinit --forwardable, because you have to use kinit anyway.