Skip Menu |

Subject: mismatch between client keytab default principal for kinit and GSS-API
When client keytabs are used to automatically obtain initiator credentials for the GSS-API, we use
the heuristic of picking the first krb5 principal in the keytab as the GSS identity to use for the
initiator. However, 'kinit -k -i', though it uses the client keytab, defaults to attempting to get
credentials for host/[hostname]. This latter functionality is of questionable utility, and the
inconsistency between the two scenarios has potential for confusion. We should probably switch
the kinit behavior to match the gssapi behavior.
From: kaduk@MIT.EDU
Subject: git commit

Do not default to host/ for client keytabs

When the normal (acceptor) keytab is being used to obtain initial
credentials, it is reasonable to use the default hostbased service
principal (host/fully.qualified.localhost.domain) when no client
principal is given. This behavior is not very reasonable when
the default client keytab is being used, as host/ credentials are
not normally client credentials.

Make kinit -i match up with the GSS-API behavior when client keytabs
are in use, using the name of the first entry in the keytab when
no name is explicitly given.
Author: Ben Kaduk <>
Commit: 6c4bd36bd000c8f5ab1b8dacd5d4101831fe576e
Branch: master
src/clients/kinit/kinit.c | 17 +++++++++++++++++
1 files changed, 17 insertions(+), 0 deletions(-)
From: kaduk@MIT.EDU
Subject: git commit

Test that kinit -k -i picks the intended principal

Prior to ticket 7892 it would use the default host/ principal
when no principal was given on the command line.
Author: Ben Kaduk <>
Commit: 44adf120d8548b9bb43a380e6f1889840c4a4a3d
Branch: master
src/tests/ | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)