Creating GSSAPI initiate credential using keytab entry

Russ Allbery rra at
Mon Mar 8 12:16:53 EST 2010

"Richard Evans" <richard.evans at> writes:

> Thanks for this.  Sort of glad that I had missed anything.  I do agree
> that this is a flaw in the GSS API.

> I'll take a look at your code.

Oh, sorry, I didn't pay sufficient attention to your subject line and
think about this.  That code obtains credentials from a password.  You
want to use a keytab.  That's a minor modification, but it's a
modification; replace:

    status = krb5_get_init_creds_password(ctx, &creds, princ, NULL,
                 krb5_prompter_posix, NULL, 0, NULL, opts);


    krb5_keytab keytab = NULL;

    status = krb5_kt_resolve(ctx, path, &keytab);
    if (status != 0)
        die_krb5(ctx, status, "error resolving keytab %s", path);
    status = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0,
                 NULL, opts);

where path is the path to your keytab.  Otherwise, it's the same.

> Just for interest, is there any reason why the Kerberos version of
> gss_acquire_cred should not get the credentials itself?  It should have
> access to all the information it needs.

It does get the credentials that it needs given a ticket cache with a TGT.
If you don't already have an existing ticket cache, it's not clear what
the right thing to do is.  In your case, you want to use a keytab
(presumably the default system one), but the right thing to do may be to
use some other keytab or to fail because this is a client program that
should be run by a user with their own credentials acquired with kinit or

There isn't any way to communicate through the GSSAPI layer what the right
thing to do is, so it requires an existing ticket cache.

Russ Allbery (rra at             <>

More information about the krbdev mailing list