gss_accept_sec_context failing after getting service ticket usingservice name and password
paul.moore at centrify.com
Sat May 27 19:05:54 EDT 2006
Run the password through the string2key function, dump the result into a new keytab file and away you go.
From: Gaurav Gaba [mailto:gauravg77 at gmail.com]
Sent: Sat May 27 01:24:20 2006
To: Jeffrey Hutzelman; krbdev at mit.edu
Subject: Re: gss_accept_sec_context failing after getting service ticket usingservice name and password
I got the point you are trying to make.
The problem I have is that I want to do gss_accept_sec_context() but I do
not have the keytab file. So, I do not have the service key with me. What I
have is the service principal and its password.
How can I obtain the service key using the service principal and its
password and then pass it on to gss_accept_sec_context call?
On 5/26/06, Jeffrey Hutzelman <jhutz at cmu.edu> wrote:
> On Friday, May 26, 2006 12:46:02 PM +0530 Gaurav Gaba <gauravg77 at gmail.com
> > Hi Nicolas,
> > No, I do not mean gss_init_sec_context().
> > I want to do gss_accept_sec_context() only.
> > gss_accept_sec_context() requires gss_acquire_creds() for getting the
> > service credentials from the keytab file. But I do not have the keytab
> > file and I have got the service credentials using service name and
> > password using krb5_get_credentials() call. Now I want
> > gss_accept_sec_context() to use these credentials instead of the one
> > keytab file.
> > Am I trying something wrong here?
> Yes, because you're trying to mix GSS and Kerberos terminology.
> In Kerberos, "credentials" always refers to something a client has to
> its identity to a server; that is, a ticket.
> In GSS, client credentials are tickets, but service credentials are what a
> service needs to accept contexts and prove its identity to a client. For
> the Kerberos mechanism, that's a service key, which is generally stored in
> a keytab. You can't use client credentials; they don't contain the
> long-term service key, which is what is needed to handle incoming
> With a couple of unfortunate exceptions, if you are using the GSS-API, you
> should not be making _any_ calls directly to the Kerberos library.
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing Facility
> Carnegie Mellon University - Pittsburgh, PA
krbdev mailing list krbdev at mit.edu
More information about the krbdev