GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not found in keytab
Greg Hudson
ghudson at mit.edu
Fri Nov 11 13:44:54 EST 2022
On 11/11/22 10:33, Kerberos Enthusiast wrote:
> It seems, if multiple servers supply separate keytabs, then the
> subsequent kerberos auth request targeted for multiple kerberos servers
> with separate keytabs and application keep on
> updating "default_keytab_name" global variable and it causes some of the
> authentication requests to fail and it throws this error
There is no global variable named default_keytab_name in MIT krb5.
There is a krb5.conf configuration variable with this name, but it is
never changed by the GSS or Kerberos libraries.
> *"GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not
> found in keytab" *(major code - 186a5, d0000)
This message is a little bit puzzling, because the principal name
("HTTP/") is incomplete, and because the message of this form in the
code includes a parenthetical about the ticket kvno.
> Using this api *krb5_gss_register_acceptor_identity() *to set the default
> keytab file for kerberos authentication.
This function sets a thread-specific global variable. It should work to
invoke it before each call to gss_acquire_cred(), or before each call to
gss_accept_sec_context() using the default acceptor credential. Or:
> Can we use any other gss_api to maintain the local context of the keytab
> file and send this keytab for every authentication request?
gss_acquire_cred_from() allows the caller to specify a keytab name when
acquiring credentials. See:
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html#credential-store-extensions
More information about the Kerberos
mailing list