gss_store_cred_into() and gss_acquire_cred_from() on a client specific basis

Greg Hudson ghudson at
Thu May 23 11:27:02 EDT 2019

On 5/23/19 8:04 AM, moore moore wrote:
> I have tried to create store with clientuser specific name : MEMORY:clientuser1 at TEST.COM
> And while the store into still worked, acquire_from failed with:
> gss_acquire_cred_from: SPNEGO cannot find mechanisms to negotiate
> But I dont see a way to use ccache name anyways to reference the store subsequently?

This is the right approach; you need client-specific ccache names to
store the proxy creds.

gss_acquire_cred_from() accepts a cred_store parameter just like
gss_store_cred_into(), and it must contain the same (per-client) ccache
value to find the correct creds.

The SPNEGO error message isn't very specific.  You could use trace logs
to try to figure out why acquiring krb5 creds doesn't work, or you could
(temporarily, for debugging purposes) try acquiring krb5 creds instead
of SPNEGO creds.

More information about the krbdev mailing list