Open eest opened 3 years ago
I have the same problem.
ping~
anybody?
Hello,
I was interested in being able to read a ticket cache on OSX and found issue #328 which is closed at this point. Being unable to reopen it I decided to create a new issue.
The best overview I have found on the subject of the non-FILE cache used on OSX is this page: https://k5wiki.kerberos.org/wiki/Projects/KCM_client
From the page:
Heimdal implements a credential cache type named "KCM" where operations are transmitted to a daemon process which manages the actual cache contents. The KCM daemon can be contacted via a Unix domain socket or, on OS X only, via Mach RPC. (There is also incomplete support in the source code for using Doors on Solaris.) On OS X 10.7 and later, the native default credential cache type uses the KCM protocol via Mach RPC. It is typically referred to via the "API" cache type for continuity with Kerberos for Macintosh; the API and KCM cache types have the same namespace in the native OS X Kerberos. Kerberos for Windows and Kerberos for Macintosh also implement a daemon-based cache type named "API". It uses a different protocol and transports.
So, a bit confusingly, even if
klist
on a modern OSX machine returnsCredentials cache: API:XXXXXXX
it is actually backed by the heimdal KCM protocol, reinforced in this mailing list thread: http://kerberos.996246.n3.nabble.com/API-cache-on-Mac-OSX-td44391.htmlApple's API: cache is Heimdal's kcm daemon, which recent (1.13+) MIT supports as the KCM: ccache type.
As stated there is an added quirk on OSX: while KCM is using UNIX domain sockets on other systems, on OSX it appears to be reached via Mach RPC calls, something I was not at all familiar with prior to investigating this.
The MIT kerberos code supports both, with the implementation found here: https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c
/* * This cache type contacts a daemon for each cache operation, using Heimdal's * KCM protocol. On macOS, the preferred transport is Mach RPC; on other * Unix-like platforms or if the daemon is not available via RPC, Unix domain * sockets are used instead. */
Looking around the heimdal codebase I believe the equivalent code is found here: https://github.com/heimdal/heimdal/blob/master/lib/ipc/client.c
What I feel most unsure about is how you would interact with the Mach RPC calls from this library, I have not been able to find any obvious native golang way of doing so.
I get credential file via 'kgetcred' command on macos finally
Hi - see #426 for a proposal on how to support this. I also need KCM support for an enterprise use-case and would be happy to implement if we can agree how..
Hello,
I was interested in being able to read a ticket cache on OSX and found issue https://github.com/jcmturner/gokrb5/issues/328 which is closed at this point. Being unable to reopen it I decided to create a new issue.
The best overview I have found on the subject of the non-FILE cache used on OSX is this page: https://k5wiki.kerberos.org/wiki/Projects/KCM_client
From the page:
So, a bit confusingly, even if
klist
on a modern OSX machine returnsCredentials cache: API:XXXXXXX
it is actually backed by the heimdal KCM protocol, reinforced in this mailing list thread: http://kerberos.996246.n3.nabble.com/API-cache-on-Mac-OSX-td44391.htmlAs stated there is an added quirk on OSX: while KCM is using UNIX domain sockets on other systems, on OSX it appears to be reached via Mach RPC calls, something I was not at all familiar with prior to investigating this.
The MIT kerberos code supports both, with the implementation found here: https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c
Looking around the heimdal codebase I believe the equivalent code is found here: https://github.com/heimdal/heimdal/blob/master/lib/ipc/client.c
What I feel most unsure about is how you would interact with the Mach RPC calls from this library, I have not been able to find any obvious native golang way of doing so.