Creating GSSAPI initiate credential using keytab entry

Richard Evans richard.evans at
Tue Mar 9 04:22:05 EST 2010

krb5_cc_resolve works fine on AIX also.  Thanks.

Last thoughts, (I hope):

When getting initiate credentials this way I can completely control the location of the keytab file; 
is there a way to specify the keytab location when getting accept only credentials? 

I was trying my test program on Solaris 10 - they seem to have the gss_krb5_ccache_name function, but only in
a loadable mechanism library. Does anyone have any experience using this on Solaris?


-----Original Message-----
From: Greg Hudson [mailto:ghudson at MIT.EDU] 
Sent: 09 March 2010 04:49
To: Richard Evans
Cc: krbdev at
Subject: Re: Creating GSSAPI initiate credential using keytab entry

On Mon, 2010-03-08 at 20:11 -0500, Richard Evans wrote:
> I assume the context needs to be freed after the gss_acquire_creds
> call? ie the context is storing the memory cache?

Memory caches are stored in a global (but mutex-protected) list, so
they're independent of the context they were created in.  You can clean
up the krb5 context as soon as you are ready to stop referencing it.

However, you'll need to reference the context to destroy the memory
ccache, which you shouldn't do until after the gss_acquire_creds call.

> One of the platforms I was experimenting was is AIX 5.3.  The Kerberos
> library there does not contain krb5_cc_new_unique.  Is there by any
> chance an older way of doing the same thing? The headers there mention
> krb5_cc_gen_new but it does not appear to be in the library.

You can pick a memory cache name yourself ("MEMORY:whatever") and
resolve it with krb5_cc_resolve().  You'll need to ensure the uniqueness
of the name if multiple instances of this operation might be taking
place at the same time.

More information about the krbdev mailing list