On Sat, Aug 09 2014 at 00:41:07 -0400, Greg Hudson scribbled in "Re: Machine authentication": > On 08/08/2014 03:37 AM, jarek wrote: > > Is it possible to receive ticket for host principal and use > > this ticket for authentication ? > > Yes. Normally this is done using a keytab, in one of three ways: > > * krb5_get_init_creds_keytab from the application code. > > * kinit -k from the command line. (This will only work until the > resulting tickets expire.) > > * Client keytab initiation (new in MIT krb5 1.11). Set the > environment variable KRB5_CLIENT_KTNAME to FILE:/path/to/keytab, and > set KRB5CCNAME to FILE:/some/path/writable/by/daemon/process. Don't > create the ccache. The GSS application will create it automatically > using the keytab, and will refresh it when needed.
Another option that sits somewhere between options 2 and 3 is to use Russ' very useful k5start tool [0] which will "Obtain and optionally keep active a Kerberos v5 ticket" by creating a CCache and renewing it when necessary. The page [0] explains it all better than I can, so probably best to just give it a read through. Cheers. Dameon. [0](http://www.eyrie.org/~eagle/software/kstart/) -- ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< Dameon Wagner, Systems Development and Support Team IT Services, University of Oxford ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos