On Fri, 3 Apr 2015, Jade Koskela wrote: > Hello all, > > I would like to use gss_store_cred_into, or some similar method, to store a > delegated TGT into the Windows LSA cache. I tried this using Kerberos API, > GSSAPI, but wasn't successful. I also just tried kinit -c MSLSA:. In all > cases, when the credential for the delegated user was stored in the LSA, > the credential cache was purged of all of the tickets for the original > user, and new tickets were stored. > Is there any way to store tickets from multiple users in the LSA via > Kerberos or GSSAPI?
To clarify slightly more on what was mentioned in IRC (and get the answer in the archives), libkrb5 (and thus the GSS interfaces) assume that the MSLSA: cache type can only contain credentials for one client principal at a time. As such, trying to add new credentials using one of those routines will have the effect of overwriting any existing credentials [for a different client principal]. This restriction is probably not inherent to the Windows LSA itself, as the KerbSubmitTicketMessage seems to allow submitting a ticket for a different client principal, but I have not done any experimentation in this area. (It is possible that software trying to use the LSA cache would get very confused when presented this situation, for example.) -Ben Kaduk ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
