One more question WRT gssapi...

Matt Crawford crawdad at
Thu Jul 21 18:22:21 EDT 2005

> Must the account that a service is logged in as do a "kinit" as the 
> principal it intends to use prior to using the GSSAPI function 
> gss_acquire_cred ?  Or is it sufficient to have the key for the 
> credential in question in the /etc/krb5.keytab file?

No and yes.

> In other words, must I do:
> kinit -t /etc/krb5.keytab service/host at
> ./myserverdaemon
> ? or will gssapi handle it for me?

No, and "sort of."  The service never has to contact the KDC.  Its 
"credential" is a very different thing than the client's.

More information about the krbdev mailing list