App with multiple keytabs

Wed Aug 31 08:32:10 EDT 2016

On 2016-08-31 12:38, Bradley Kite wrote:
> Hi there,
>
> I'm quite new to the gssapi, but my use-case is slightly different from the
> norm.
>
> I'm trying to write a "multi-tenanted" app where different threads need to
> run gssapi functions but using different keytab files (based on the tenant)
> - so setting KRB5_KTNAME (via putenv()) is not going to work unless I use
> some kind of locking/synchronisation which is going to be horrible for
> performance.
>
> I've looked through the docs for some kind of profile or configuration
> context that can be passed into a variant of gss_accept_sec_context() but
> I've not been able to find anything so far.
>
> Am I trying to do something that is not currently possible?
>
> I'd be glad to hear of any ideas that anyone might have for how to solve
> this problem.
>
> Many thanks in advance.

I think I have a similar use-case and I use gss_acquire_cred_from:

gss_cred_id_t tgt;
OM_uint32 ms, tm;
gss_key_value_element_desc e[] = {{"client_keytab", NULL}};
gss_key_value_set_desc kv = {1, &e[0]};

e[0].value = keytab_name;
rc = gss_acquire_cred_from(&ms, NULL, GSS_C_INDEFINITE, 
(gss_OID_set)gss_mech_set_krb5, GSS_C_INITIATE, kv, &tgt, NULL, &tm);

HTH,
Sorin