On Thu, Aug 28, 2008 at 9:12 AM, <[EMAIL PROTECTED]> wrote: > - Now, how do I initialize the security context for userB if my > process is running in root's context? > > I found one more thread about this : > http://groups.google.co.in/group/comp.protocols.kerberos/browse_thread/thread/434a62ca2c65876d/9d3d8914af3befd4?hl=en&lnk=st&q=%22gss_krb5_ccache_name%22#9d3d8914af3befd4 > > As mentioned in the thread above, it is possible to switch to > different user security context using gss_krb5_ccache_name. There are > problems there as well though: > > - If you want switch user contexts multiple times, in multiple > threads, application's performance gets affected because initializing > security context (or one of the steps in it) is a lengthy operation - > on my setup it takes almost 5 seconds. > - I believe the switch has to be synchronized so that unless > gss_init_sec_context in one thread completes, I cannot call > gss_krb5_ccache_name from anywhere else in my application - that > increases the delay in multi threaded application even more. > > That was the reason why I wanted to know whether gss_init_sec_context > somehow accepts a local parameter so that initializing security > contexts of different users can be indepenent of each other.
The gss_init_sec_context function accepts a gss_cred_id_t parameter that represents the initiator credential. This credential can be obtained for an arbitrary account using the gss_acquire_cred function provided a credential for the desired account is available for the target mechanism. There is no need to change your identity with setuid unless you will be performing local operations that require the identity be a certain local account. GSSAPI has no knowledge of local accounts and never looks at the default identity of the user (however if no gss_cred_id_t is supplied at all, the underlying mechanism may use the local identity to guess where it might find credentials). Meaning, you want to export the KRB5CCNAME environment variable to point to a ccache file with credentials for the desired account. This assumes of course that there is such a credential. Unfortunately GSSAPI does not define how to acquire initial credentials. Like I said - there are a lot of details that are not handled by GSSAPI alone. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos