One more question WRT gssapi...

Jeffrey Altman jaltman at MIT.EDU
Tue Jul 26 23:22:31 EDT 2005

Jiva DeVoe wrote:

> Right, exactly... and for gss_wrap you have to have a context, which  I
> assume you're saying should be the one sent from the client.

You need the context for any gss_xxx() call that you make on either side
of the connection.   On the server, the context is the output of the
gss_accept_context() call.

> Ok, so that said... what about the peer to peer case?  What if I have 
> two long-running server processes that need to communicate?  What's  the
> "appropriate" way to handle that?

If you have two long term processes, one of them becomes a client and
the other is a server.   The client will call gss_init_context() and
will obtain an initial TGT using init with a keytab file.

> A server still has to do a gss_acquire_cred right?  It's just that it 
> doesn't need to have done a kinit for it right?  Or does a server not 
> even need to do gss_acquire_cred?

gss_acquire_cred() is called by the server.   See the gss-server.c
example server_acquire_creds() function.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2707 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list