Getting root's cred in the ccache from keytab

Tomas Kuthan tomas.kuthan at
Tue Mar 25 12:02:40 EDT 2014

On 03/25/14 04:53 PM, Greg Hudson wrote:
> On 03/25/2014 10:54 AM, Tomas Kuthan wrote:
>> on Solaris, if root needs a TGT (for instance for sec nfs) and doesn't
>> have it in cache, an attempt is made in krb5_gss_init_sec_context() to
>> get one using system keytab. First keys for
>> 'root/hostname.some.domain at REALM' are sought, followed by
>> 'host/hostname.some.domain at REALM' and 'HOSTNAME$@REALM'.
>> I was told, that similar logic might be implemented in MIT Kerberos [...]
> Only for a broad definition of "similar."  After a lot of discussion, we
> implemented
> which introduces the concept of the "client keytab" as distinguished
> from the acceptor keytab.

So that's the client keytab!
I stumbled across it, but I wrongly considered it as "not it".


More information about the krbdev mailing list