One more question WRT gssapi...

Jiva DeVoe jiva at
Tue Jul 26 17:04:07 EDT 2005

Hmm, my tests do not bare this out...

Specifically, I find I MUST issue a kinit -t /etc/krb5.keytab service/ 
host at before attempting running my application which then does  
a gss_acquire_cred.

Is this correct?

On Jul 21, 2005, at 6:22 PM, Matt Crawford wrote:

>> Must the account that a service is logged in as do a "kinit" as  
>> the principal it intends to use prior to using the GSSAPI function  
>> gss_acquire_cred ?  Or is it sufficient to have the key for the  
>> credential in question in the /etc/krb5.keytab file?
> No and yes.
>> In other words, must I do:
>> kinit -t /etc/krb5.keytab service/host at
>> ./myserverdaemon
>> ? or will gssapi handle it for me?
> No, and "sort of."  The service never has to contact the KDC.  Its  
> "credential" is a very different thing than the client's.

Jiva DeVoe
PowerCard - Intuitive Project Management Software for Mac OS X

More information about the krbdev mailing list