> On 07/29/2014 04:50 PM, Michael Osipov wrote: > > my application tries to acquire a GSS credential with a client keytab: > > > > $ KRB_CLIENT_KTNAME=$HOME/client.keytab app > > The environment variable is KRB5_CLIENT_KTNAME, not KRB_CLIENT_KTNAME. > Did you use the correct variable name?
I am sorry, that was a typo of course. I have set KRB5_CLIENT_KTNAME in my .profile. > > No credential is obtained. At that time, the credential was already > > expired. > > Was the credential acquired using the client keytab via GSSAPI, or by > hand? The intent is that we refresh credentials obtained using the > client keytab when they are halfway to expired, but that only works if > they were acquired by GSSAPI from the client keytab in the first place. The credential was acquired either by kinit password or by kinit -k -t. If I understood you correctly, the API makes a difference here. By hand or by cient keytab. The problem is that one has sometimes no control over, even worse I cannot check how the credential was obtained because klist does not reveil that information. Why is there a difference in the first place? Thanks, Michael ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
