Kevin Coffman wrote: >>Sure, but it doesn't sound like gss_init_sec_context should do any of >>these. > > > Doesn't it, as a by-product, get a service ticket and store it?
The way it works is that when the MSLSA ccache is asked to store a ticket in the cache, the library in turn issues a Ticket Getting Request to the LSA which in turn results in the ticket appearing in the LSA cache. The only ccache api functions which return a KRB5_CC_READONLY error are: generate_new store (only if the LSA is unable to obtain a matching ticket) remove_cred Now there is one possibility. Perhaps the Windows Kerberos subsystem has no knowledge of the realm from which you are obtaining tickets. If the realm information is only located in the krb5.ini file and has not been configured via ksetup.exe, you may see KRB5_CC_READONLY errors. Jeffrey Altman ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos