keytab to krb5_creds?

Greg Hudson ghudson at MIT.EDU
Fri Jan 28 14:57:14 EST 2011

On Fri, 2011-01-28 at 14:49 -0500, John Hascall wrote:
> It seems to me that one ought to be able to construct a
> krb5_creds struct given a keytab (and the princ name you
> want from it)?  [probably re-inventing a number of wheels
> due to non-publically visible functions]
> Is this correct?

The problem is not completely specified.  A keytab entry contains a
principal and a key (and some other stuff).  A krb5_creds struct
contains a client principal, a service principal, a ticket session key,
and a ticket (and some other stuff).

If you have a keytab entry for the principal P, then you can locally
construct C->P credentials for any client principal C.  We don't have
the library routines to make it easy, and you won't necessarily get the
authdata you want in the ticket, but it's possible without any
additional knowledge.

If you have a keytab entry for the principal P, you can contact the KDC
to get P->S principals for most service principals S.  This is a common
use case and is implemented by krb5_get_init_creds_keytab().  You can't
locally construct credentials like that because you don't know S's key.

More information about the Kerberos mailing list