Greg Hudson ghudson at
Thu Oct 1 15:41:11 EDT 2015

On 10/01/2015 02:25 PM, sorin.manolache at wrote:
> gss_krb5_import_cred(&minor, NULL /* ccache */, princ, keytab, &cred);
> can this call acquire any credentials that I could use later for 
> gss_init_sec_context? It seems to me that no, but I would like a 
> confirmation.

No, you will only get acceptor creds this way.

> Or, to put it differently, if all I have is a keytab file (i.e. I have 
> nothing in the caches, I have never called kinit, I have never called 
> gss_acquire_cred or gss_acquire_cred_by_password) is there a way to 
> acquire credentials only with that keytab file? (The keytab file is not 
> empty, obviously.)

Yes, as of MIT krb5 1.11.  The basic outline is:

* Configure a client keytab name, typically using the KRB5_CLIENT_KTNAME
environment variable.

* Configure a ccache (with KRB5CCNAME or otherwise) that won't be
disturbed by a human.  Don't populate this cache manually.

* Call gss_acquire_cred() with usage GSS_C_INITIATE.  Ticket acquisition
and refreshes from the keytab will happen automatically behind the scenes.

As of 1.12, you can use gss_acquire_cred_from() to specify the client
keytab name and ccache name, if you want to do that programmatically
rather than through the program environment.

There is more at:

This is under-documented in the main documentation; the component
features are documented, but there ought to be a better "how to."

More information about the krbdev mailing list