gss_accept_sec_context failing after getting service ticket using service name and password

Jeffrey Hutzelman jhutz at
Fri May 26 11:44:37 EDT 2006

On Friday, May 26, 2006 12:46:02 PM +0530 Gaurav Gaba <gauravg77 at> 

> Hi Nicolas,
> No, I do not mean gss_init_sec_context().
> I want to do gss_accept_sec_context() only.
> gss_accept_sec_context() requires gss_acquire_creds() for getting the
> service credentials from the keytab file. But I do not have the keytab
> file and I have got the service credentials using service name and
> password using krb5_get_credentials() call. Now I want
> gss_accept_sec_context() to use these credentials instead of the one from
> keytab file.
> Am I trying something wrong here?

Yes, because you're trying to mix GSS and Kerberos terminology.
In Kerberos, "credentials" always refers to something a client has to prove 
its identity to a server; that is, a ticket.

In GSS, client credentials are tickets, but service credentials are what a 
service needs to accept contexts and prove its identity to a client.  For 
the Kerberos mechanism, that's a service key, which is generally stored in 
a keytab.  You can't use client credentials; they don't contain the 
long-term service key, which is what is needed to handle incoming requests.

With a couple of unfortunate exceptions, if you are using the GSS-API, you 
should not be making _any_ calls directly to the Kerberos library.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the krbdev mailing list