Getting root's cred in the ccache from keytab

Greg Hudson ghudson at MIT.EDU
Tue Mar 25 11:53:34 EDT 2014

On 03/25/2014 10:54 AM, Tomas Kuthan wrote:
> on Solaris, if root needs a TGT (for instance for sec nfs) and doesn't 
> have it in cache, an attempt is made in krb5_gss_init_sec_context() to 
> get one using system keytab. First keys for 
> 'root/hostname.some.domain at REALM' are sought, followed by 
> 'host/hostname.some.domain at REALM' and 'HOSTNAME$@REALM'.
> I was told, that similar logic might be implemented in MIT Kerberos [...]

Only for a broad definition of "similar."  After a lot of discussion, we

which introduces the concept of the "client keytab" as distinguished
from the acceptor keytab.

More information about the krbdev mailing list