Simo Sorce

The target is generally controlled by the calling code. In this case I assume rpc.gssd is being invoked. Gss-proxy has no idea what interface is used because it is removed...

Just to be clear gssproxy does not use uname -a, either it gets a gss_name for the credential to acquire, or it will parse the keytab and select the first...

Ths is the caller: Sep 20 10:19:16 manet.1015granger.net rpc.gssd[1004]: gssd_get_single_krb5_cred(0x7fdeb6ffd640): Credentials in CC 'FILE:/tmp/krb5ccmachine_1015GRANGER.NET' are good until Tue Sep 20 16:35:20 2022 rpc.gssd process 1004 Do not know why rpc.gssd...

Can you point me at the place you see this in the code? a quick glance I do not see a place where gss_acquire_cred() is called from rpc.gssd with a...

That's what I thought, this is a gssd bug. gssproxy can try to paper over some things, but it can't divine which, of multiple principals, the application want's to use.

If you open a bug somwhere against it would be nice if you could link it here, so I can turn this issue into a discussion for other with the...

This is waiting on https://github.com/krb5/krb5/pull/1115 to be merged

@abbra is this something you need implemented in the short term?

The behavior you mention can happen if someone manually primes the ccache instead of letting gssprocy do it via client keytab directives. This due to libgssapi behavior which will srt...

@jbazik this i used by gss-proxy to perform operations like impersonation as they are split over multiple iterations and need a stored ccache to continue the operation. It is not...