gss_accept_sec_context failing after getting service ticket using service name and password

Michael B Allen mba2000 at
Fri May 26 23:06:06 EDT 2006

On Fri, 26 May 2006 01:25:39 -0500
Nicolas Williams <Nicolas.Williams at> wrote:

> > Is there a way
> > to convert from krb5_creds to gss_cred_id_t?
> No, there isn't.
> For Solaris Nevada we're looking at adding a mechanism-specific
> gss_acquire_cred_from_ccache() GSS-API extension.

At some point don't you just want to punt and use opaque types? Using an
import/export or inquire_by_oid kind of interface implies the result
can be represented in a serialized form which is somewhat annoying.

For example if you want to get a mechanism specific credential you could
have a function like:

  void *gss_cred_to_mech_cred(gss_cred_id_t credential);

or for Java you might have:

  Object GSSCredential.toMechCredential();

which would return a KerberosTicket:

  KerberosTicket tkt = cred.toMechCredential();

And just to sanity check the conversion perhaps the routine should
take a mech OID. Or one could query the mech for a provider OID so they
can be certain to differentiate between types from different providers
(e.g. krb5_ticket as opposed to shishi_ticket).

Otherwise you risk overspecifying things IMHO.


More information about the krbdev mailing list