Client keytab ignored when CC has expired

Michael Osipov 1983-01-06 at gmx.net
Wed Jul 30 02:34:51 EDT 2014


> On 07/29/2014 04:50 PM, Michael Osipov wrote:
> > my application tries to acquire a GSS credential with a client keytab:
> > 
> > $ KRB_CLIENT_KTNAME=$HOME/client.keytab app
> 
> The environment variable is KRB5_CLIENT_KTNAME, not KRB_CLIENT_KTNAME.
> Did you use the correct variable name?

I am sorry, that was a typo of course. I have set KRB5_CLIENT_KTNAME in my .profile.
 
> > No credential is obtained. At that time, the credential was already 
> > expired.
> 
> Was the credential acquired using the client keytab via GSSAPI, or by
> hand?  The intent is that we refresh credentials obtained using the
> client keytab when they are halfway to expired, but that only works if
> they were acquired by GSSAPI from the client keytab in the first place.

The credential was acquired either by kinit password or by kinit -k -t.
If I understood you correctly, the API makes a difference here. By hand or by
cient keytab. The problem is that one has sometimes no control over, even worse
I cannot check how the credential was obtained because klist does not reveil that
information.

Why is there a difference in the first place?

Thanks,

Michael


More information about the Kerberos mailing list