gss_accept_sec_context failing after getting service ticket using service name and password

Gaurav Gaba gauravg77 at
Fri May 26 03:16:02 EDT 2006

Hi Nicolas,

No, I do not mean gss_init_sec_context().
I want to do gss_accept_sec_context() only.

gss_accept_sec_context() requires gss_acquire_creds() for getting the
service credentials from the keytab file. But I do not have the keytab file
and I have got the service credentials using service name and password using
krb5_get_credentials() call. Now I want gss_accept_sec_context() to use
these credentials instead of the one from keytab file.

Am I trying something wrong here?

Gaurav G.

On 5/26/06, Nicolas Williams <Nicolas.Williams at> wrote:
> On Fri, May 26, 2006 at 11:44:24AM +0530, Gaurav Gaba wrote:
> > Now, I want to do accept context by invoking gss_accept_sec_context()
> but it
> Er, I think you want gss_init_sec_context() here.
> > requires the credentials
> > in gss_cred_id_t form whereas krb5_get_credentials() returns creds in
> > krb5_creds form. Is there a way
> > to convert from krb5_creds to gss_cred_id_t?
> No, there isn't.
> For Solaris Nevada we're looking at adding a mechanism-specific
> gss_acquire_cred_from_ccache() GSS-API extension.
> In the meantime you can use the KRB5CCNAME environment variable to
> reference the ccache you wrote the ticket to.
> > I also tried explicitly storing the service ticket in default
> credentials
> > cache using krb5_cc_store_cred()
> > and then making the call to gss_accept_sec_context() with
> > acceptor_cred_handle as GSS_C_NO_CREDENTIAL so that
> > it picks up default credentials but gss_accept_sec_context() call fails.
> That's because you should probably be using gss_init_sec_context().

More information about the krbdev mailing list