gss_accept_sec_context failing after getting service ticket usingservice name and password

Michael B Allen mba2000 at
Mon May 29 15:55:46 EDT 2006

On Mon, 29 May 2006 14:16:23 +0530
"Gaurav Gaba" <gauravg77 at> wrote:

> Also, is there a way by which I can do away with the keytab mechanism all
> together?

Sure. Most kerberos implementations have "string to key" routines that
can produce a key from a password. Drill down through the source for
krb5_get_init_creds_password. Once you have the key you might be able
to maually create a gss_cred_id_t that gss_accept_sec_context will
recognise. Otherwise you will need to modify GSSAPI to accept the key
directly and then use it to decrypt client data. Easy!


The "normal" way this is done is to generate a keytab from a
password. This is not difficult. You can do it using ktpass.exe if your
KDC is Windows. Then call putenv("KRB5_KTNAME=/path/to/service.keytab")
before gss_accept_sec_context is called.


More information about the krbdev mailing list