gss_krb5_import_cred fails for Samba

Nico Williams nico at
Sat Jul 23 00:12:59 EDT 2011

On Fri, Jul 22, 2011 at 10:29 PM, Greg Hudson <ghudson at> wrote:
> On Fri, 2011-07-22 at 20:14 -0400, Andrew Bartlett wrote:
>> This case is where the principal is specified, and the incoming GSSAPI
>> request has the same key and knvo, but a different server name?
> Contrary to what Luke says, I would expect this to work out of the box
> in krb5 1.9.  If you look at the logic of
> krb5_rd_req_decrypt_tkt_part() in rd_req_dec.c, you'll see that if
> server != NULL, we look up server in the keytab and ignore
> req->ticket->server.

I think using req->ticket->server is precisely what Andrew wants,
which means using GSS_C_NO_CREDENTIAL *or* a credential acquired for
desired_name == GSS_C_NO_NAME.  (GSS doesn't [yet] have a strong
concept of credential sets, as it requires that desired_name be the
same for all elements of a credential -- that is, it has a concept of
credential set, but what must differ from one element to the next is
the mechanism, not the name.)


More information about the krbdev mailing list