[28645] in Kerberos
Re: question on gss_acquire_cred
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Fri Nov 2 15:46:52 2007
In-Reply-To: <OF47FC7383.DD066351-ON87257387.0068BC43-88257387.0069F047@us.ibm.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <963E065E-DCD4-4757-8034-7DD174CB3B53@mit.edu>
From: Ken Raeburn <raeburn@mit.edu>
Date: Fri, 2 Nov 2007 15:46:13 -0400
To: Priya Govindarajan <govindap@us.ibm.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Nov 2, 2007, at 15:17, Priya Govindarajan wrote:
> When I execute gss_server as another other user I get the following
> error
> "server_acquire_creds: sample
> server_acquire_creds: calling gss_acquire_credGSS-API error acquiring
> credentials: Miscellaneous failure
> GSS-API error acquiring credentials: Permission denied"
>
> My understanding is gss_acquire_cred tries to get the default
> credential
> from credential cache. How does gss_server as user root is able to
> execute gss_acquire_cred function without any cred in credential
> cache.
> What is problem when executing gss_server as anyother user ?
When trying to get "acceptor" (server) credentials, acquire_cred for
the Kerberos mechanism will look at the keytab for the service, not
at the current credentials cache. So that's where the permission-
denied problem would be coming up. (I think this is one of the error
messages we've clarified since the 1.6 branch, but I should check...)
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
