One more question WRT gssapi...
Jiva DeVoe
jiva at devoesquared.com
Tue Jul 26 17:04:07 EDT 2005
Hmm, my tests do not bare this out...
Specifically, I find I MUST issue a kinit -t /etc/krb5.keytab service/
host at foo.com before attempting running my application which then does
a gss_acquire_cred.
Is this correct?
On Jul 21, 2005, at 6:22 PM, Matt Crawford wrote:
>> Must the account that a service is logged in as do a "kinit" as
>> the principal it intends to use prior to using the GSSAPI function
>> gss_acquire_cred ? Or is it sufficient to have the key for the
>> credential in question in the /etc/krb5.keytab file?
>>
>
> No and yes.
>
>
>> In other words, must I do:
>>
>> kinit -t /etc/krb5.keytab service/host at foo.com
>> ./myserverdaemon
>>
>> ? or will gssapi handle it for me?
>>
>
> No, and "sort of." The service never has to contact the KDC. Its
> "credential" is a very different thing than the client's.
>
>
--
Jiva DeVoe
http://www.devoesquared.com
PowerCard - Intuitive Project Management Software for Mac OS X
More information about the krbdev
mailing list