Multiple KDC's realm heuristic for KRB5CCNAME=DIR:/tmp/mydir/ ccache not working

Greg Hudson ghudson at
Thu Jul 26 12:05:38 EDT 2018

On 07/26/2018 11:54 AM, Martin Gee wrote:
> I'm assuming *gss_spn_name +* GSS_C_BOTH is exercising both env variables?

Yes.  GSS_C_BOTH asks for both client and server credentials in the 
resulting cred.  The client side of the cred uses $KRB5_CLIENT_KTNAME 
(or the "client_keytab" key in gss_acquire_cred_from()) as well as the 
$KRB5CCNAME (or the "ccache" key), while the server side uses 
$KRB5_KTNAME (or the "keytab" key).

I get that you are working from t_s4u at the moment, and that program 
does an init_sec_context and accept_sec_context to itself for testing 
purposes.  But I would guess that your actual application should not 
need to call accept_sec_context(), so you can probably acquire the cred 
with GSS_C_INITIATE and not bother with $KRB5_KTNAME.

More information about the krbdev mailing list