gss_accept_sec_context failing after getting service ticket using service name and password
Jeffrey Hutzelman
jhutz at cmu.edu
Fri May 26 11:44:37 EDT 2006
On Friday, May 26, 2006 12:46:02 PM +0530 Gaurav Gaba <gauravg77 at gmail.com>
wrote:
> Hi Nicolas,
>
> No, I do not mean gss_init_sec_context().
> I want to do gss_accept_sec_context() only.
>
> gss_accept_sec_context() requires gss_acquire_creds() for getting the
> service credentials from the keytab file. But I do not have the keytab
> file and I have got the service credentials using service name and
> password using krb5_get_credentials() call. Now I want
> gss_accept_sec_context() to use these credentials instead of the one from
> keytab file.
>
> Am I trying something wrong here?
Yes, because you're trying to mix GSS and Kerberos terminology.
In Kerberos, "credentials" always refers to something a client has to prove
its identity to a server; that is, a ticket.
In GSS, client credentials are tickets, but service credentials are what a
service needs to accept contexts and prove its identity to a client. For
the Kerberos mechanism, that's a service key, which is generally stored in
a keytab. You can't use client credentials; they don't contain the
long-term service key, which is what is needed to handle incoming requests.
With a couple of unfortunate exceptions, if you are using the GSS-API, you
should not be making _any_ calls directly to the Kerberos library.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the krbdev
mailing list