[19792] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Multiple KDC's realm heuristic for KRB5CCNAME=DIR:/tmp/mydir/

daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jul 26 12:05:51 2018

To: Martin Gee <geemang_2000@yahoo.com>, "krbdev@mit.edu" <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <29d00acb-4e45-7ede-9ba4-48d056efbd19@mit.edu>
Date: Thu, 26 Jul 2018 12:05:38 -0400
MIME-Version: 1.0
In-Reply-To: <1972888049.2813017.1532620456083@mail.yahoo.com>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit

On 07/26/2018 11:54 AM, Martin Gee wrote:
> I'm assuming *gss_spn_name +* GSS_C_BOTH is exercising both env variables?

Yes.  GSS_C_BOTH asks for both client and server credentials in the 
resulting cred.  The client side of the cred uses $KRB5_CLIENT_KTNAME 
(or the "client_keytab" key in gss_acquire_cred_from()) as well as the 
$KRB5CCNAME (or the "ccache" key), while the server side uses 
$KRB5_KTNAME (or the "keytab" key).

I get that you are working from t_s4u at the moment, and that program 
does an init_sec_context and accept_sec_context to itself for testing 
purposes.  But I would guess that your actual application should not 
need to call accept_sec_context(), so you can probably acquire the cred 
with GSS_C_INITIATE and not bother with $KRB5_KTNAME.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home help back first fref pref prev next nref lref last post