I've been trying to move Samba4 across to using the new gss_krb5_import_creds function. This should reduce our custom hacks significantly, and I thought it provided the correct semantics. However, we make extensive use of in-memory keytabs, and currently this routine fails to 'reference' an existing in-memory keytab. Instead, these steps create a new, blank in-memory keytab: kret = krb5_kt_get_full_name(gssapi_krb5_context, keytab, &str); if (kret) goto out; kret = krb5_kt_resolve(gssapi_krb5_context, str, &handle->keytab); free(str); if (kret) goto out; I see a few solutions: We could copy the contents of the keytab (as being 'unlikely to change', we could add a new function to 'reference' a keytab (other than by get/resolve name), or the code in keytab_memory.c could be changed to record the list of keytabs (with reference counting etc), much as the in-memory ccache code does. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part