Cannot get name from default acceptor cred

Greg Hudson ghudson at MIT.EDU
Wed Mar 9 15:20:21 EST 2011

On Wed, 2011-03-09 at 14:10 -0500, Sriram Nambakam wrote:
> When this cred (with keytab) is used as part of
> gss_accept_security_context(...), the principal will be taken from the
> incoming token?

Because of the way server aliases work, we actually ignore the principal
name from the client and just try every entry in the keytab until we
find one that works.  (Unless we are running against the KDB keytab; in
that case we use the client-provided principal name.)

> I am trying to run the SAP gsstest against the MIT krb5 gss library, and
> it fails in two cases when trying to acquire default credentials.

Fundamentally, this is a place where GSSAPI and krb5 doesn't quite mesh.
We can probably make up a name to return in this case, such as the first
principal in the keytab.  Some care needs to be taken to handle
GSS_C_BOTH credentials correctly.  I'm not sure when or if I'll find
time to code this up.

More information about the krbdev mailing list