Calling init_sec_context() without config file and default realm
Isaac Boukris
iboukris at gmail.com
Fri Dec 24 12:27:32 EST 2021
Hi,
In a test environment I'm trying to set up, I use HTTP/localhost as
service principal for simplicity, but this causes init_sec_context()
to fail due to lack of config-file and default-realm (or even a FS in
my case, I think).
I'm wondering if this is something we can fix in the library to allow
working without config-file, or how to get around it, perhaps using a
different gss name-type for the target would help, need to check, but
anyway I think it is worth raising.
This is the error I get from init_sec_context():
major: No credentials were supplied, or the credentials were
unavailable or inaccessible
minor: Configuration file does not specify default realm
Which I tracked to:
at krb5_get_default_realm (:1:1665697)
at krb5_get_fallback_host_realm (:1:1664801)
at krb5_cc_select (:1:847942)
at kg_cred_resolve (:1:299328)
at krb5_gss_init_sec_context_ext (:1:446141)
at krb5_gss_init_sec_context (:1:462004)
at gss_init_sec_context (:1:94944)
at init_ctx_call_init (:1:656631)
Worked around with:
diff --git a/src/lib/gssapi/krb5/acquire_cred.c
b/src/lib/gssapi/krb5/acquire_cred.c
index e226a0269..69e5b0303 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -984,7 +984,7 @@ kg_cred_resolve(OM_uint32 *minor_status,
krb5_context context,
/* acquire_init_cred should have set both name and ccache, or neither. */
assert(cred->ccache == NULL);
- if (tname != NULL) {
+ if (0 && tname != NULL) {
/* Use the target name to select an existing ccache or a principal. */
code = krb5_cc_select(context, tname->princ, &cred->ccache,
&client_princ);
Thanks!
More information about the krbdev
mailing list