krb5_gss_acquire_cred() vs multiple credential caches

Alexandra Ellwood lxs at MIT.EDU
Mon Feb 12 12:44:03 EST 2007

On Feb 12, 2007, at 12:07 PM, Jeffrey Altman wrote:

>> It sounds like either output_cred_handle is not being created
>> correctly or is not being passed around properly.
> The problem was occurring within gss_acquire_cred() before the
> output_cred_handle was returned to the caller.
> krb5_gss_acquire_cred() is called multiple times within
> gss_acquire_cred() and each time krb5_gss_acquire_cred() was  
> allocating
> a new krb5_context and the logic that would have obtained the  
> previously
> returned ccache name was failing.
> I think we are all in agreement with how this code should behave.

I'm talking about the output_cred_handle returned by  
krb5_gss_acquire_cred().  I will continue to assert that the  
krb5_context should not be relevant in this case because the ccache  
should be passed around in the output_cred_handle.  If the code falls  
back to looking at the krb5_context then something has already gone  

Also note that I'm not disputing the existence of the bug.  I believe  
I've seen it at least once before but didn't have time to track it  
down and then couldn't reproduce it later.


Alexandra Ellwood <lxs at>
MIT Kerberos Development Team

More information about the krbdev mailing list