gss_accept_sec_context failing after getting service ticket using service name and password
Gaurav Gaba
gauravg77 at gmail.com
Fri May 26 03:16:02 EDT 2006
Hi Nicolas,
No, I do not mean gss_init_sec_context().
I want to do gss_accept_sec_context() only.
gss_accept_sec_context() requires gss_acquire_creds() for getting the
service credentials from the keytab file. But I do not have the keytab file
and I have got the service credentials using service name and password using
krb5_get_credentials() call. Now I want gss_accept_sec_context() to use
these credentials instead of the one from keytab file.
Am I trying something wrong here?
Thanks,
Gaurav G.
On 5/26/06, Nicolas Williams <Nicolas.Williams at sun.com> wrote:
>
> On Fri, May 26, 2006 at 11:44:24AM +0530, Gaurav Gaba wrote:
> > Now, I want to do accept context by invoking gss_accept_sec_context()
> but it
>
> Er, I think you want gss_init_sec_context() here.
>
> > requires the credentials
> > in gss_cred_id_t form whereas krb5_get_credentials() returns creds in
> > krb5_creds form. Is there a way
> > to convert from krb5_creds to gss_cred_id_t?
>
> No, there isn't.
>
> For Solaris Nevada we're looking at adding a mechanism-specific
> gss_acquire_cred_from_ccache() GSS-API extension.
>
> In the meantime you can use the KRB5CCNAME environment variable to
> reference the ccache you wrote the ticket to.
>
> > I also tried explicitly storing the service ticket in default
> credentials
> > cache using krb5_cc_store_cred()
> > and then making the call to gss_accept_sec_context() with
> > acceptor_cred_handle as GSS_C_NO_CREDENTIAL so that
> > it picks up default credentials but gss_accept_sec_context() call fails.
>
> That's because you should probably be using gss_init_sec_context().
>
More information about the krbdev
mailing list