One more question WRT gssapi...
Matt Crawford
crawdad at fnal.gov
Thu Jul 21 18:22:21 EDT 2005
> Must the account that a service is logged in as do a "kinit" as the
> principal it intends to use prior to using the GSSAPI function
> gss_acquire_cred ? Or is it sufficient to have the key for the
> credential in question in the /etc/krb5.keytab file?
No and yes.
> In other words, must I do:
>
> kinit -t /etc/krb5.keytab service/host at foo.com
> ./myserverdaemon
>
> ? or will gssapi handle it for me?
No, and "sort of." The service never has to contact the KDC. Its
"credential" is a very different thing than the client's.
More information about the krbdev
mailing list