Calling init_sec_context() without config file and default realm

Isaac Boukris iboukris at
Fri Dec 24 12:27:32 EST 2021


In a test environment I'm trying to set up, I use HTTP/localhost as
service principal for simplicity, but this causes init_sec_context()
to fail due to lack of config-file and default-realm (or even a FS in
my case, I think).

I'm wondering if this is something we can fix in the library to allow
working without config-file, or how to get around it, perhaps using a
different gss name-type for the target would help, need to check, but
anyway I think it is worth raising.

This is the error I get from init_sec_context():

major: No credentials were supplied, or the credentials were
unavailable or inaccessible
minor: Configuration file does not specify default realm

Which I tracked to:

    at krb5_get_default_realm (:1:1665697)
    at krb5_get_fallback_host_realm (:1:1664801)
    at krb5_cc_select (:1:847942)
    at kg_cred_resolve (:1:299328)
    at krb5_gss_init_sec_context_ext (:1:446141)
    at krb5_gss_init_sec_context (:1:462004)
    at gss_init_sec_context (:1:94944)
    at init_ctx_call_init (:1:656631)

Worked around with:

diff --git a/src/lib/gssapi/krb5/acquire_cred.c
index e226a0269..69e5b0303 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -984,7 +984,7 @@ kg_cred_resolve(OM_uint32 *minor_status,
krb5_context context,
     /* acquire_init_cred should have set both name and ccache, or neither. */
     assert(cred->ccache == NULL);

-    if (tname != NULL) {
+    if (0 && tname != NULL) {
         /* Use the target name to select an existing ccache or a principal. */
         code = krb5_cc_select(context, tname->princ, &cred->ccache,


More information about the krbdev mailing list