how do i renew a kerberos service ticket using GSS API

Question

I use GSS API to authenticate myself with the SMB 2.0 server using Kerberos authentication (gss_init_sec_context call). I know that I can renew TGT using kinit -R command. But I want to be able to renew my service ticket obtained as well.

In the protocol spec it says the client needs to renew the kerberos tickets..

Is it possible to renew service ticket? or should I create a new context?

Any pointers about this related to SMB 2.0 reauthentication using GSS api are also really welcome

Answer 1

Does the service ticket contain a RENEWABLE flag?

You cannot renew any tickets with the GSS-API. This must be done with the mechanism below by other means. GSS-API is too high-level, it actually does not know anything about the underlying mech -- in this case Kerberos -- technique.

This shouldn't bother you actually, as long a service ticket is cached in the CC, the API will/should reuse it with new context. Since SMB is session-based, you must have a new GSS context for that.

If you stil want to tamper with the mechanics below, study this site. Though I would not recommed this.