without caching of initial krbtgt tickets

Greg Hudson ghudson at mit.edu
Mon Sep 28 18:49:22 EDT 2020

On 9/28/20 5:22 PM, Sri wrote:
> krb5_get_init_creds_password(context, &my_creds, userPrinc, pwd, 0, 0, starttime, 0, optz);
> krb5_cc_initialize(,ccahe,..)
> krb5_cc_store_creds(,..ccache,...) 

Side point, but it is generally better to use
krb5_get_init_creds_opt_set_out_ccache() so that appropriate ccache
config state can be written to the cache, rather than doing the
initialize and store operations yourself.  It's unlikely to have much of
an impact on this use case, however.

> 1) Is there any libkrb5 API that does both sending AS-REQ/AS-REP and TGS-REQ/TGS-REP. No need to send AP-REQ/AP-REP.

No, but you can specify a service name to krb5_get_init_creds_password()
using the in_tkt_service parameter, and get tickets to the target
service with just an AS-REQ.  This only works if the service is in the
same realm as the client; there is no such thing as a cross-realm AS

> 2) Is it possible to invoke krb5_get_credentials() without caching the krbtgt tickets? I am trying to reuse the out_creds from krbt_get_init_creds_password() in krb5_get_credentials() but that failed with below trace:

No, but you can use a MEMORY ccache by calling krb5_cc_new_unique() with
type MEMORY, and destroy the ccache afterwards.

More information about the krbdev mailing list