Creating GSSAPI initiate credential using keytab entry

Richard Evans richard.evans at
Mon Mar 8 05:00:34 EST 2010

I am attempting to use GSSAPI to connect to a remove service using a
keytab entry as the principal.

I believe that the gss_acquire_cred call requires a matching entry in
the credentials cache in order
to get the TGT.

So I guess I would need to:

1. Use a KRB5 API call to get the credentials for the relevant keytab
2. Store them in a temporary cache file (I don't want to mess with the
cache for the current user)
3. Set the KRB5CCNAME environment variable to point at this location
4. Call gss_acquire_cred to get the initiator credentials
5. Restore the previous value of KRB5CCNAME, if any
6. Delete the temporary cache file

Is there any example code which shows how to do this?  I've searched
around and not found much 
documentation in this area.  Also, can this be done in a thread-safe
way? I don't like the idea of 
temporarily overriding an environment variable.

Any help would be appreciated.


More information about the krbdev mailing list