Sorin Manolache sorinm at
Thu Oct 1 18:05:58 EDT 2015

On 2015-10-01 21:41, Greg Hudson wrote:
> On 10/01/2015 02:25 PM, sorin.manolache at wrote:
>> gss_krb5_import_cred(&minor, NULL /* ccache */, princ, keytab, &cred);
>> can this call acquire any credentials that I could use later for
>> gss_init_sec_context? It seems to me that no, but I would like a
>> confirmation.
> No, you will only get acceptor creds this way.
>> Or, to put it differently, if all I have is a keytab file (i.e. I have
>> nothing in the caches, I have never called kinit, I have never called
>> gss_acquire_cred or gss_acquire_cred_by_password) is there a way to
>> acquire credentials only with that keytab file? (The keytab file is not
>> empty, obviously.)
> Yes, as of MIT krb5 1.11.  The basic outline is:
> * Configure a client keytab name, typically using the KRB5_CLIENT_KTNAME
> environment variable.
> * Configure a ccache (with KRB5CCNAME or otherwise) that won't be
> disturbed by a human.  Don't populate this cache manually.
> * Call gss_acquire_cred() with usage GSS_C_INITIATE.  Ticket acquisition
> and refreshes from the keytab will happen automatically behind the scenes.
> As of 1.12, you can use gss_acquire_cred_from() to specify the client
> keytab name and ccache name, if you want to do that programmatically
> rather than through the program environment.
> There is more at:
> This is under-documented in the main documentation; the component
> features are documented, but there ought to be a better "how to."

Thank you.


More information about the krbdev mailing list