Use gss_krb5_import_cred() for initiator spnego creds

Isaac Boukris iboukris at
Sun Dec 12 21:15:53 EST 2021

On Mon, Dec 13, 2021 at 4:00 AM Greg Hudson <ghudson at> wrote:
> On 12/12/21 7:44 PM, Isaac Boukris wrote:
> > When passing a unique memory cache to gss_krb5_import_cred() (aka not
> > default), I fail to use these creds in gss_init_sec_context() with
> > spnego mech but succeed with krb5. I wonder if that's a bug or if
> > there is a way around it.
> >
> > I managed to reproduce in the test-suite, with this diff:
> gss_krb5_import_cred() creates a krb5 cred.  You can't use that with
> SPNEGO per the standard API, nor is there a way to turn an existing cred
> handle into a SPNEGO cred.  Recent Heimdal does allow this as an
> implicit extension (SPNEGO is flagged as a meta-mechanism which directly
> uses union creds), but MIT krb5 does not.
> A confounding factor is that the mechglue gss_init_sec_context() does
> not error out on mismatched credentials.  It just calls
> gssint_get_mechanism_cred() on the union cred, and if that returns NULL
> (it has no other way of failing) the mechglue just passes the default
> cred handle to the mech.  gss_accept_sec_context() used to behave the
> same way, but I changed that in 2011 to make it fail out instead.
> The current best way around this is to use gss_acquire_cred_from().

Ok thanks for clarifying it, my problem was because I create the
ccache with krb5_cc_new_unique(MEMORY) and so do not have its name, I
just noticed I can get the name with krb5_cc_get_full_name() and use
gss_acquire_cred_from() with that name, and it now works with spnego
too :)

More information about the krbdev mailing list