gss_acquire_cred failing with no keytable entry found

Amritanshu amritanshu at
Tue Nov 28 00:41:28 EST 2017

Hello Kerberos!

I am trying to make a windows client authenticate with a Linux server in a
domain-joined scenario, I have created a service principal based on the
documentation provided as part of PBIS/gssapps and MSDN GSS/SSPI interop
documentation [0, 1]. Updated the relevant Keytab entry in
/etc/krb5.keytab. I am using krb5-1.15.2,
Then I am using the following code on server side to acquire_cred

static int server_acquire_creds(
    char *service_name,
    gss_cred_id_t *server_creds
    int ret = 0;
    gss_buffer_desc name_buf = GSS_C_EMPTY_BUFFER;
    gss_name_t server_name = GSS_C_NO_NAME;
    OM_uint32 maj_stat = 0, min_stat = 0;

    name_buf.value = service_name;
    name_buf.length = strlen((char *)name_buf.value) + 1;
    maj_stat = gss_import_name(&min_stat, &name_buf,
                               (gss_OID) gss_nt_service_name, &server_name);
    if (maj_stat != GSS_S_COMPLETE) {
        display_status("importing name", maj_stat, min_stat);
        ret = -1;
        goto error;

    maj_stat = gss_acquire_cred(&min_stat, server_name, 0,
                                GSS_C_NULL_OID_SET, GSS_C_ACCEPT,
                                server_creds, NULL, NULL); <<--- it fails
    if (maj_stat != GSS_S_COMPLETE) {
        display_status("acquiring credentials", maj_stat, min_stat);
        ret = -1;
        goto error;

    (void) gss_release_name(&min_stat, &server_name);

    return ret;

**The error I am running into**:

GSS-API error acquiring credentials: Unspecified GSS failure.  Minor code
may provide more information (851968, 851968, 0x000d0000)

GSS-API error acquiring credentials: No key table entry found matching gss\/ (39756033, 39756033, 0x025ea101)
The service_name passed is "gss/ at".

I downloaded and compiled the bits set up traces and breakpoints in libgss
bits while stepping through I found in krb5_gss_acquire_cred_from I see the
name that is passed is invalid and the gssalloc fails because it is asked
to allocate a very large amount of memory.

I do see the principal in ktutil/list
ktutil: list -e
114    2 gss/ at (des-cbc-crc)
~/work/gss$ hostname -A

This is happening on the server end, where it is going to do a gss_ASC,
command used to run the application is.

sudo ./gss-server gss/ at

so gss-server is acting as the "gss" part in the principal name.

Mostly looking for advice on how to go about debugging this.


More information about the Kerberos mailing list