Creating GSSAPI initiate credential using keytab entry

Russ Allbery rra at
Mon Mar 8 12:20:59 EST 2010

Greg Hudson <ghudson at MIT.EDU> writes:

> * Create a ccache with krb5_cc_new_unique().  Pass "MEMORY" as the type
> parameter and NULL as the hint.  Clean this up later with
> krb5_cc_destroy().

This assumes that you are linking your program with the same Kerberos
library that's used by the underlying GSSAPI Kerberos mechanism
implementation and hence destroys GSSAPI implementation agility.  But yes,
this is probably a reasonable tradeoff in most situations.  (It's not a
tradeoff that I can make in the example code that I posted; it's a
requirement of that code that it be able to use an underlying GSSAPI
mechanism implementation linked with a different Kerberos library than

> * Use gss_krb5_ccache_name() to get GSSAPI to use your memory ccache.
> (Call krb5_cc_get_name() to get the ccache name.)  This function sets a
> thread-specific variable.

I didn't realize this was thread-specific.  Thanks for that!  I was
assuming that was going to do something equivalent to setting the
environment variable, since it doesn't take a GSSAPI context or any other
state information.

Russ Allbery (rra at             <>

More information about the krbdev mailing list