gss_init_sec_context() failed: : Ccache function not supported:

[peter huang]

I'm glad more was asked about this subject, I gained more understanding of 
how this should work.  In this case, the gss_init_sec_context failed trying 
to get a cross-realm tgt using MSLSA ccache but has no problem if I used 
API:krb5cc ccache.  the realm info is more explict in krb5.ini but I did not 
use ksetup to identify additonal realms (I did add the trust relationship 
with AD DC).

finally, my mentioned of kclient with ftp was errornous here.  the ftp.exe 
is the standard gssftp using gssapi32.dll.  I'm getting miscellaneous 
failure using MSLSA with same read-only ccache not supported.

-peter huang

"Jeffrey Altman" <jaltman2 at nyc.rr.com> wrote in message 
news:e_07e.15836$mp6.433216 at twister.nyc.rr.com...
> Kevin Coffman wrote:
>
>>>Sure, but it doesn't sound like gss_init_sec_context should do any of
>>>these.
>>
>>
>> Doesn't it, as a by-product, get a service ticket and store it?
>
> The way it works is that when the MSLSA ccache is asked to store
> a ticket in the cache, the library in turn issues a Ticket Getting
> Request to the LSA which in turn results in the ticket appearing
> in the LSA cache.
>
> The only ccache api functions which return a KRB5_CC_READONLY error are:
>
>  generate_new
>  store         (only if the LSA is unable to obtain a matching ticket)
>  remove_cred
>
> Now there is one possibility.  Perhaps the Windows Kerberos subsystem
> has no knowledge of the realm from which you are obtaining tickets.
> If the realm information is only located in the krb5.ini file and
> has not been configured via ksetup.exe, you may see KRB5_CC_READONLY
> errors.
>
> Jeffrey Altman
>
>
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot edu