cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Kerberos multiple principals having same realms issue.

From: Michael Osipov <1983-01-06_at_gmx.net>
Date: Fri, 18 Jul 2014 08:46:42 +0200

> Hi,
>
> We are observing issue when running curl under negotiate with multiple principals both having same realm(say user1/krbnet.com_at_EXAMPLE.COM and user2/krbnet.com_at_EXAMPLE.COM).
>
> We are using directory cache to update the cache with both the principals.
>
> kinit -kt user1/krbnet.com_at_EXAMPLE.COM
> kinit -kt user2/krbnet.com_at_EXAMPLE.COM
>
> curl library is loading only the primary credentials (here user2) in the Kerberos cache and working even though there are user1 and user2 credentials in the Kerberos cache.
>
> Is there any option in curl to specify the negotiate connection based on the principal?
>
> Can anybody suggest a way to work with curl if multiple Kerberos principals are present and both pointing to same realm.

Hi,

this is obviously not a curl problem itself. You have two options for this:

1. Read MIT Kerberos documentation on DIR [1] and use kswitch
2. Patch curl to accept a UPN with -u michael-o_at_COMPANY.COM, import name,
pass along to gss_init_sec_context and hope that MIT Kerberos picks that up. (Not tried)

Michael

[1] http://web.mit.edu/kerberos/krb5-devel/doc/basic/ccache_def.html#col-ccache
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-18