gss_krb5_import_cred
Sorin Manolache
sorinm at gmail.com
Thu Oct 1 18:05:58 EDT 2015
On 2015-10-01 21:41, Greg Hudson wrote:
> On 10/01/2015 02:25 PM, sorin.manolache at orange.com wrote:
>> gss_krb5_import_cred(&minor, NULL /* ccache */, princ, keytab, &cred);
>>
>> can this call acquire any credentials that I could use later for
>> gss_init_sec_context? It seems to me that no, but I would like a
>> confirmation.
>
> No, you will only get acceptor creds this way.
>
>> Or, to put it differently, if all I have is a keytab file (i.e. I have
>> nothing in the caches, I have never called kinit, I have never called
>> gss_acquire_cred or gss_acquire_cred_by_password) is there a way to
>> acquire credentials only with that keytab file? (The keytab file is not
>> empty, obviously.)
>
> Yes, as of MIT krb5 1.11. The basic outline is:
>
> * Configure a client keytab name, typically using the KRB5_CLIENT_KTNAME
> environment variable.
>
> * Configure a ccache (with KRB5CCNAME or otherwise) that won't be
> disturbed by a human. Don't populate this cache manually.
>
> * Call gss_acquire_cred() with usage GSS_C_INITIATE. Ticket acquisition
> and refreshes from the keytab will happen automatically behind the scenes.
>
> As of 1.12, you can use gss_acquire_cred_from() to specify the client
> keytab name and ccache name, if you want to do that programmatically
> rather than through the program environment.
>
> There is more at:
>
> http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
>
> This is under-documented in the main documentation; the component
> features are documented, but there ought to be a better "how to."
Thank you.
Sorin
More information about the krbdev
mailing list