Learning Kerberos for development

Greg Hudson ghudson at MIT.EDU
Wed Aug 21 11:14:12 EDT 2013

On 08/21/2013 05:27 AM, letz.yaara wrote:
> 1 - When *gss_acquire_cred* returns major error *GSS_S_FAILURE*, how do I
> parse the minor mechanism error ? *gss_display_status *returns an *empty
> string (*and I can't find the code anywhere else).

gss_display_status is the right way.  Make sure you're calling it
correctly; you can see an example at


There are a few bugs (not common) where we don't return a useful minor code.

> 2 - In what use case scenarios I have multiples messages to be processed by
> *gss_display_status* ( in which I need to call gss_display_status again
> according to the message_context argument)

I don't believe our implementation ever returns multiple messages, but
you should check in case your code is linked against a different
implementation which does.

> 3 - *gss_acquire_cred* - where does it keep its cred cache? (not /tmp/
> krb5cc_something) and if I'm calling this function again - will it use the
> cached credentials?

gss_acquire_cred doesn't usually create a new ccache; it just creates an
in-memory object which represents an existing ccache or keytab.

If you are creating an acceptor credential, there is no ccache.

> 4 - *gsskrb5_register_acceptor_identity - *can I use this function instead
> of setting the environment variable *KRB5_KTNAME *?(not using
> /etc/krb5.conf at all)

You can; it affects future calls for the current thread.  Depending on
the version of libkrb5 you're using, there may be less hackish methods
of doing the same thing, such as gss_krb5_import_cred (1.9) or
gss_acquire_cred_from (1.10).

> 5. In *gss_acquire_cred - t**ime_rec* argument is described as "The number
> of seconds for which the credential will remain valid.* If the time
> remaining is not required*, specify NULL for this parameter." --> what does
> it mean "*If the time remaining is not required"

It means "if you do not need to know the amount of time remaining."

> can my cached
> credentials be indefinitely valid? (Basically I want to know in advance
> when my credentials are expired and how to I control this date while
> creating the keytab)

krb5 acceptor credentials are always indefinitely valid.  krb5 initiator
credentials are not; there is always an expiry time on the TGT, although
it may be a long time.

More information about the krbdev mailing list