[39156] in Kerberos
Re: GSS-API error gss_accept_sec_context: Request ticket server HTTP/
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Nov 11 13:50:15 2022
Message-ID: <81516897-8535-0d62-ac52-3ffaf151d86f@mit.edu>
Date: Fri, 11 Nov 2022 13:44:54 -0500
MIME-Version: 1.0
Content-Language: en-US
To: Kerberos Enthusiast <kerberos.enthusiast@gmail.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <CAGshih9QY8hga0WDf+uc-Fgt6m3AUFLsas7LgtVNMQjs3m-K6A@mail.gmail.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 11/11/22 10:33, Kerberos Enthusiast wrote:
> It seems, if multiple servers supply separate keytabs, then the
> subsequent kerberos auth request targeted for multiple kerberos servers
> with separate keytabs and application keep on
> updating "default_keytab_name" global variable and it causes some of the
> authentication requests to fail and it throws this error
There is no global variable named default_keytab_name in MIT krb5.
There is a krb5.conf configuration variable with this name, but it is
never changed by the GSS or Kerberos libraries.
> *"GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not
> found in keytab" *(major code - 186a5, d0000)
This message is a little bit puzzling, because the principal name
("HTTP/") is incomplete, and because the message of this form in the
code includes a parenthetical about the ticket kvno.
> Using this api *krb5_gss_register_acceptor_identity() *to set the default
> keytab file for kerberos authentication.
This function sets a thread-specific global variable. It should work to
invoke it before each call to gss_acquire_cred(), or before each call to
gss_accept_sec_context() using the default acceptor credential. Or:
> Can we use any other gss_api to maintain the local context of the keytab
> file and send this keytab for every authentication request?
gss_acquire_cred_from() allows the caller to specify a keytab name when
acquiring credentials. See:
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html#credential-store-extensions
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
