Creating GSSAPI initiate credential using keytab entry

Richard Evans richard.evans at
Mon Mar 8 20:11:09 EST 2010

I've written a little test program based on this and it works fine.  
Thanks again.

Just a couple of queries:

I assume the context needs to be freed after the gss_acquire_creds call? 
ie the context is storing the memory cache?

One of the platforms I was experimenting was is AIX 5.3.  The Kerberos 
library there does not contain krb5_cc_new_unique.  Is there by any 
chance an older way of doing the same thing? The headers there mention 
krb5_cc_gen_new but it does not appear to be in the library.


-------- Original Message --------
> On Mon, 2010-03-08 at 05:00 -0500, Richard Evans wrote:
> > 1. Use a KRB5 API call to get the credentials for the relevant keytab
> > entry
> > 2. Store them in a temporary cache file (I don't want to mess with the
> > cache for the current user)
> > 3. Set the KRB5CCNAME environment variable to point at this location
> > 4. Call gss_acquire_cred to get the initiator credentials
> > 5. Restore the previous value of KRB5CCNAME, if any
> > 6. Delete the temporary cache file
> I don't have example code on hand but I can provide some guidance on
> what APIs to use.
> * Start by creating a krb5 context with krb5_init_context().  Clean this
> up later with krb5_free_context().
> * Create a ccache with krb5_cc_new_unique().  Pass "MEMORY" as the type
> parameter and NULL as the hint.  Clean this up later with
> krb5_cc_destroy().
> * Open your keytab with krb5_kt_default() or krb5_kt_resolve().  Clean
> this up later with krb5_kt_close().
> * Acquire the credential with krb5_get_init_creds_keytab().  If you need
> to supply any options beyond the arguments to that function, create the
> options structure with krb5_get_init_creds_opt_alloc(), other
> krb5_get_init_creds_opt_* calls to set the options, and clean it up
> later with krb5_get_init_creds_opt_free().  Clean up the resulting
> credential later with krb5_free_creds().
> * Store the returned credential into the memory ccache with
> krb5_cc_store_cred().
> * Use gss_krb5_ccache_name() to get GSSAPI to use your memory ccache.
> (Call krb5_cc_get_name() to get the ccache name.)  This function sets a
> thread-specific variable.
> Now you should be ready to acquire credentials.

More information about the krbdev mailing list