On Feb 20, 4:17 pm, Nicolas Williams <[email protected]> wrote: > On Fri, Feb 20, 2009 at 01:24:06PM -0800, Chris wrote: > > ... > > Is it correct that, if you can't rely on default GSSAPI credentials > > (i.e. login identity and pre-cached TGT), then a client should use > > gss_acquire_credentials() to establish this? ... > > The GSS-API does not give you a way to acqiure initial credentials > (i.e., anything involving interaction with the user to obtain things > like principal name, password, smartcard/token PIN, ...). That's out of > scope for the GSS-API.
Thanks for the reply (and also for the offline reply). Since this is the case (and btw the client is in C/C++) I added an upstream call to KLAcquireInitialTicketsWithPassword(), and that did the trick - the subsequent call to gss_acquire_cred() for the same principal works now. FWIW, I was slightly confused with the language in the GSSAPI RFC which seems to indicate that an implementation of a mechanism (e.g. Kerberos) is not necessarily compatible with that mechanism used on its own. Turns out in this case (at least in C), it's not only compatible but *required* that you use the API for that mechanism on its own to make credentials available before using GSSAPI. - Chris ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
