Creating GSSAPI initiate credential using keytab entry

Greg Hudson ghudson at MIT.EDU
Mon Mar 8 23:49:04 EST 2010

On Mon, 2010-03-08 at 20:11 -0500, Richard Evans wrote:
> I assume the context needs to be freed after the gss_acquire_creds
> call? ie the context is storing the memory cache?

Memory caches are stored in a global (but mutex-protected) list, so
they're independent of the context they were created in.  You can clean
up the krb5 context as soon as you are ready to stop referencing it.

However, you'll need to reference the context to destroy the memory
ccache, which you shouldn't do until after the gss_acquire_creds call.

> One of the platforms I was experimenting was is AIX 5.3.  The Kerberos
> library there does not contain krb5_cc_new_unique.  Is there by any
> chance an older way of doing the same thing? The headers there mention
> krb5_cc_gen_new but it does not appear to be in the library.

You can pick a memory cache name yourself ("MEMORY:whatever") and
resolve it with krb5_cc_resolve().  You'll need to ensure the uniqueness
of the name if multiple instances of this operation might be taking
place at the same time.

More information about the krbdev mailing list