Learning Kerberos for development
ghudson at MIT.EDU
Wed Aug 21 11:14:12 EDT 2013
On 08/21/2013 05:27 AM, letz.yaara wrote:
> 1 - When *gss_acquire_cred* returns major error *GSS_S_FAILURE*, how do I
> parse the minor mechanism error ? *gss_display_status *returns an *empty
> string (*and I can't find the code anywhere else).
gss_display_status is the right way. Make sure you're calling it
correctly; you can see an example at
There are a few bugs (not common) where we don't return a useful minor code.
> 2 - In what use case scenarios I have multiples messages to be processed by
> *gss_display_status* ( in which I need to call gss_display_status again
> according to the message_context argument)
I don't believe our implementation ever returns multiple messages, but
you should check in case your code is linked against a different
implementation which does.
> 3 - *gss_acquire_cred* - where does it keep its cred cache? (not /tmp/
> krb5cc_something) and if I'm calling this function again - will it use the
> cached credentials?
gss_acquire_cred doesn't usually create a new ccache; it just creates an
in-memory object which represents an existing ccache or keytab.
If you are creating an acceptor credential, there is no ccache.
> 4 - *gsskrb5_register_acceptor_identity - *can I use this function instead
> of setting the environment variable *KRB5_KTNAME *?(not using
> /etc/krb5.conf at all)
You can; it affects future calls for the current thread. Depending on
the version of libkrb5 you're using, there may be less hackish methods
of doing the same thing, such as gss_krb5_import_cred (1.9) or
> 5. In *gss_acquire_cred - t**ime_rec* argument is described as "The number
> of seconds for which the credential will remain valid.* If the time
> remaining is not required*, specify NULL for this parameter." --> what does
> it mean "*If the time remaining is not required"
It means "if you do not need to know the amount of time remaining."
> can my cached
> credentials be indefinitely valid? (Basically I want to know in advance
> when my credentials are expired and how to I control this date while
> creating the keytab)
krb5 acceptor credentials are always indefinitely valid. krb5 initiator
credentials are not; there is always an expiry time on the TGT, although
it may be a long time.
More information about the krbdev