I have written some C code to connect to a Kerberized LDAP server. This all works fine, but at present, it currently generates a new TGT every time it connects, rather than using the one (assuming it already exists) in the default credenti开发者_Go百科als cache.
I have looked into using the likes of krb5_cc_resolve and krb5_initialize to get a reference to the cache, but this seems to destroy the cache if it already exists, along with any tickets it holds.
Basically, what I want to know is: is there any way of checking the default credentials cache for existing TGTs without destroying it?
krb5_cc_initialize clears the cache, as the documentation says. Just don't do that if you want to access an existing cache
From the docs:
Any existing credentials are discarded and the principal name for the cache is set to the value specified
Look in the code for kstart where it implements the -H option.
http://git.eyrie.org/?p=kerberos/kstart.git;a=blob;f=framework.c;h=66e851413a9b4d71fa4d61ded2f3c0d71cd03b0c;hb=HEAD
Basically, you need to check the expire time for the principal in the ticket.
/* Obtain the ticket. */
memset(&increds, 0, sizeof(increds));
code = krb5_cc_resolve(ctx, config->cache, &ccache);
if (code != 0)
goto done;
increds.client = config->client;
else {
code = krb5_cc_get_principal(ctx, ccache, &increds.client);
if (code != 0)
goto done;
}
code = get_krbtgt_princ(ctx, increds.client, &increds.server);
if (code != 0)
goto done;
code = krb5_get_credentials(ctx, 0, ccache, &increds, &outcreds);
if (code != 0)
goto done;
increds_valid = true;
/* Check the expiration time and renewal limit. */
if (code == 0) {
now = time(NULL);
then = outcreds->times.endtime;
if (config->happy_ticket > 0)
offset = 60 * config->happy_ticket;
else
offset = 60 * config->keep_ticket + EXPIRE_FUDGE;
if (then < now + offset)
code = KRB5KRB_AP_ERR_TKT_EXPIRED;
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论