Client keytab ignored when CC has expired

Greg Hudson ghudson at MIT.EDU
Tue Jul 29 16:57:49 EDT 2014


On 07/29/2014 04:50 PM, Michael Osipov wrote:
> my application tries to acquire a GSS credential with a client keytab:
> 
> $ KRB_CLIENT_KTNAME=$HOME/client.keytab app

The environment variable is KRB5_CLIENT_KTNAME, not KRB_CLIENT_KTNAME.
Did you use the correct variable name?

> No credential is obtained. At that time, the credential was already 
> expired.

Was the credential acquired using the client keytab via GSSAPI, or by
hand?  The intent is that we refresh credentials obtained using the
client keytab when they are halfway to expired, but that only works if
they were acquired by GSSAPI from the client keytab in the first place.


More information about the Kerberos mailing list