如何使用已建立的GSS API上下文获取客户端用户名

时间:2015-11-15 12:01:39

标签: linux kerberos gssapi sspi

我正在实施Windows - >使用Kerberos的Linux透明身份验证。在Windows端我使用SSPI。我成功地在Windows客户端和Windows服务器之间建立了上下文,检索客户端的用户名:

SecPkgContext_Names extraData;
res = QueryContextAttributes(&context, SECPKG_ATTR_NAMES, &extraData);

现在是时候做同样的事了,但是在Linux上。我使用gss_accept_sec_context并返回GSS_S_COMPLETE,并且类型为gss_ctx_id_t的变量被填充。 但我很难获得客户名称。我除了可以使用gss_inquire_sec_context_by_oid完成,但是,我无法找到要传递的内容

const gss_OID /*desired_object*/

有人能指点我吗?

1 个答案:

答案 0 :(得分:0)

好的,我终于找到了解决方案。它总是在表面上 - 愚蠢的我。

static gss_OID_desc mechDescKERBEROS = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
static gss_OID      mechKERBEROS = &mechDescKERBEROS;

gss_ctx_id_t        serverContext = GSS_C_NO_CONTEXT;

// Establish context....

// Now we have established context. All lines below are for getting source user name in form of username@DOMAIN.COM (I got it capitalized, yes)
gss_name_t  srcName = NULL;
gss_name_t  targetName = NULL;
OM_uint32   lifetime;
OM_uint32   ctxFlags = 0;
int         locallyInitiated = 0;
int         open = 0;
maj_stat = gss_inquire_context(&min_stat, serverContext, &srcName, &targetName, &lifetime, &mechKERBEROS, &ctxFlags, &locallyInitiated, &open);
if (maj_stat == GSS_S_COMPLETE)
{
    gss_buffer_desc buff = GSS_C_EMPTY_BUFFER;
    maj_stat = gss_display_name(&min_stat, srcName, &buff, &GSS_C_NT_USER_NAME);
    if (maj_stat == GSS_S_COMPLETE)
    {
        std::string tmp((char*)buff.value);
        // tmp now contains our name
        // Release buffer
        maj_stat = gss_release_buffer(&min_stat, &buff);
    }

    // Release names
    if (srcName != NULL)
        maj_stat = gss_release_name(&min_stat, &srcName);
    if (targetName != NULL)
        maj_stat = gss_release_name(&min_stat, &targetName);
}