Skip to content

Home

Jump to bottom
marten edited this page Jan 27, 2017 · 42 revisions

Welcome to the radcli wiki!

Goal: Radcli supports authenticating with username/password. Figure out how to support authentication using a keytab and principal name.

Use a keytab and a principal name when authenticating

Create and use a keytab file

>ktutil
addent -password -p [email protected] -k 1 -e RC4-HMAC
- enter password for username -
wkt realm_ad.keytab
q

> kdestroy
> kinit [email protected] -k -t realm_ad.keytab; 
> klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: [email protected]

Valid starting       Expires              Service principal
2017-01-27 10:30:00  2017-01-27 20:30:00  krbtgt/[email protected]
	renew until 2017-02-03 10:30:00

Preset a computer using the principal name and the credentials cache (-C option).

> adcli preset-computer server_temp -D example.com -U Administrator -C

> ltrace -o preset_trace.ltrace  adcli preset-computer server_temp -D example.com -U Administrator -C
computer-name: server_temp

> grep "krb5_cc" preset_trace.ltrace 
krb5_cc_default(0x7fcf58bfe490, 0x7fcf58bf0110, 1, 0)                                                           = 0
krb5_cc_get_full_name(0x7fcf58bfe490, 0x7fcf58bfe8d0, 0x7fcf58bf0058, 0x7fcf58bfe8e0)                           = 0
gss_krb5_ccache_name(0x7ffcabb30ee8, 0x7fcf58c030f0, 0, 0)                                                      = 0
gss_krb5_ccache_name(0x7ffcabb30ee8, 0, 0, 0)                                                                   = 0
krb5_cc_close(0x7fcf58bfe490, 0x7fcf58bfe8d0, 0x7fcf5745d770, 0x7fcf58c03110)                                   = 0
[marten@radcli radcli]$

Adcli function calls

krb5_error_code
_adcli_kinit_user_creds (adcli_conn *conn,
                         const char *in_tkt_service,
                         krb5_ccache ccache,
                         krb5_creds *creds)
{
        krb5_get_init_creds_opt *opt;
        krb5_principal principal;
        krb5_error_code code;
        krb5_context k5;
        krb5_creds dummy;

        assert (conn != NULL);

        k5 = adcli_conn_get_krb5_context (conn);

        code = krb5_parse_name (k5, conn->user_name, &principal);
        return_val_if_fail (code == 0, code);

        code = krb5_get_init_creds_opt_alloc (k5, &opt);
        return_val_if_fail (code == 0, code);

        if (ccache) {
                code = krb5_get_init_creds_opt_set_out_ccache (k5, opt, ccache);
                return_val_if_fail (code == 0, code);
        }

        memset (&dummy, 0, sizeof (dummy));
        if (!creds)
                creds = &dummy;

        code = krb5_get_init_creds_password (k5, creds, principal,
                                             conn->user_password, null_prompter, NULL,
                                             0, (char *)in_tkt_service, opt);

        krb5_free_principal (k5, principal);
        krb5_get_init_creds_opt_free (k5, opt);
        krb5_free_cred_contents (k5, &dummy);

        return code;
}
Clone this wiki locally