in Kerberos_V5_Development
Re: Multiple KDC's realm heuristic for KRB5CCNAME=DIR:/tmp/mydir/
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jul 26 12:05:51 2018
To: Martin Gee <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>
From: Greg Hudson <email@example.com>
Date: Thu, 26 Jul 2018 12:05:38 -0400
Content-Type: text/plain; charset="utf-8"
On 07/26/2018 11:54 AM, Martin Gee wrote:
> I'm assuming *gss_spn_name +* GSS_C_BOTH is exercising both env variables?
Yes. GSS_C_BOTH asks for both client and server credentials in the
resulting cred. The client side of the cred uses $KRB5_CLIENT_KTNAME
(or the "client_keytab" key in gss_acquire_cred_from()) as well as the
$KRB5CCNAME (or the "ccache" key), while the server side uses
$KRB5_KTNAME (or the "keytab" key).
I get that you are working from t_s4u at the moment, and that program
does an init_sec_context and accept_sec_context to itself for testing
purposes. But I would guess that your actual application should not
need to call accept_sec_context(), so you can probably acquire the cred
with GSS_C_INITIATE and not bother with $KRB5_KTNAME.
krbdev mailing list firstname.lastname@example.org