ghudson at mit.edu
Thu Oct 1 15:41:11 EDT 2015
On 10/01/2015 02:25 PM, sorin.manolache at orange.com wrote:
> gss_krb5_import_cred(&minor, NULL /* ccache */, princ, keytab, &cred);
> can this call acquire any credentials that I could use later for
> gss_init_sec_context? It seems to me that no, but I would like a
No, you will only get acceptor creds this way.
> Or, to put it differently, if all I have is a keytab file (i.e. I have
> nothing in the caches, I have never called kinit, I have never called
> gss_acquire_cred or gss_acquire_cred_by_password) is there a way to
> acquire credentials only with that keytab file? (The keytab file is not
> empty, obviously.)
Yes, as of MIT krb5 1.11. The basic outline is:
* Configure a client keytab name, typically using the KRB5_CLIENT_KTNAME
* Configure a ccache (with KRB5CCNAME or otherwise) that won't be
disturbed by a human. Don't populate this cache manually.
* Call gss_acquire_cred() with usage GSS_C_INITIATE. Ticket acquisition
and refreshes from the keytab will happen automatically behind the scenes.
As of 1.12, you can use gss_acquire_cred_from() to specify the client
keytab name and ccache name, if you want to do that programmatically
rather than through the program environment.
There is more at:
This is under-documented in the main documentation; the component
features are documented, but there ought to be a better "how to."
More information about the krbdev