MIT Kerberos using invalid in-memory credential cache

Vipul Mehta vipulmehta.1989 at
Thu Jan 14 08:37:10 EST 2021

What is logic used to find out default credential cache ?
If I specify KRB5 mech type with KRB5 gss credential, MIT Kerberos will
return krb5 token. Is there any way to convert this krb5 token into SPNEGO
token ?
We use tomcat server which accepts SPNEGO token only.
If i am able to obtain SPNEGO token using krb5 cred then i will also be
able to use this piece of code to enhance the curl library to work with
user specified krb5 gss credential that will be helpful for use cases in
which service needs to impersonate multiple authenticated users.

On Mon, Jan 11, 2021 at 10:33 PM Greg Hudson <ghudson at> wrote:

> On 1/7/21 3:11 AM, Vipul Mehta wrote:
> > 1) How is default credential picked up when GSS_C_NO_CREDENTIAL is
> > specified in gss_init_sec_context() ? How is in-memory credential cache
> > used here ?
> The default ccache is used, which is generally not a memory credential
> cache.  krb5_gss_init_sec_context_ext() calls kg_get_defcred() which
> calls krb5_gss_acquire_cred() with default arguments.
> > 2) If the GSS credential passed to  gss_init_sec_context() does not
> > match the specified mechanism type then  GSS_C_NO_CREDENTIAL is the
> > value returned from gssint_get_mechanism_cred().  Why it does not simply
> > fail here as client didn't pass matching oid and cred ?
> I'd call that a long-standing bug.  The same was true for
> gss_accept_sec_context() until commit
> 79c34ed3d829ee9e3fa64aa5b3b90b4e37514cf7.
> > One more qus - How to create SPNEGO output token from
> gss_init_sec_context using krb5 gss credential ?
> You can't; you have to acquire a SPNEGO credential, which will acquire a
> krb5 credential internally (and possibly other mech credentials).  You
> can use gss_set_neg_mechs() to determine which mechs can be negotiated
> with the SPNEGO credential.
> There have been proposed extensions to allow a mech credential to be
> used with SPNEGO, but none have been implemented in MIT krb5.  One old
> proposal is a gss_acquire_cred_with_cred() function, which could allow
> an arbitrary cred to be turned into a SPNEGO cred.  Another proposal,
> implemented recently in Heimdal, is to decide that as a negotiation
> mechanism, SPNEGO directly uses union creds and can be invoked with
> arbitrary claimant credentials.


More information about the krbdev mailing list