Getting root's cred in the ccache from keytab

Tomas Kuthan tomas.kuthan at
Tue Mar 25 10:54:03 EDT 2014


on Solaris, if root needs a TGT (for instance for sec nfs) and doesn't 
have it in cache, an attempt is made in krb5_gss_init_sec_context() to 
get one using system keytab. First keys for 
'root/hostname.some.domain at REALM' are sought, followed by 
'host/hostname.some.domain at REALM' and 'HOSTNAME$@REALM'.

I was told, that similar logic might be implemented in MIT Kerberos, but 
I was not able to find support for it in the code, nor in documentation. 
I also did a quick test and it doesn't seem to work for me, at least not 
under the same conditions as with Solaris...

Does MIT Kerberos support root getting TGT from keytab?
If yes, could you please point me to place in code?


More information about the krbdev mailing list