Can credentials from different realms be put in the same /tmp/krb5cc_<uid> file?

Mark Montague markmont at umich.edu
Thu Jul 31 11:33:02 EDT 2003 

On Thu, 31 Jul 2003, Grace Tsai wrote:

> We have three different realms listed in our krb5.conf file.
> How can we let users keep credentials given by different realms
> into the same /tmp/krb5cc_<uid> file?

Some Kerberized applications or utilities may have trouble dealing with
credentials cache files containing tickets from multiple realms, but
if so then this would be either deliberately by design or because of
bad assumptions made by those programs.  There is nothing in the format
of the credentials cache file that precludes this.  One of my credentials
caches currently contains:

sirus# klist -5 /ticket/krb5cc_apache_5366
Ticket cache: FILE:/ticket/krb5cc_apache_5366
Default principal: markmont/www at UMICH.EDU

Valid starting     Expires            Service principal
07/31/03 09:52:18  07/31/03 11:52:18  krbtgt/UMICH.EDU at UMICH.EDU
07/31/03 09:52:15  08/04/03 09:52:15  krbtgt/LSA.UMICH.EDU at LSA.UMICH.EDU
        for client markmont/www at LSA.UMICH.EDU
07/31/03 09:52:15  08/04/03 09:52:15  afs at LSA.UMICH.EDU
        for client markmont/www at LSA.UMICH.EDU
07/31/03 09:52:19  07/31/03 11:52:18  afs at UMICH.EDU
sirus#

...and this works fine.  This credentials cache file was not created
by kinit, however -- this credentials cache was created by one of our
in-house applications, using the MIT Kerberos 5 libraries and API.  The
Kerberized applications that I've tested with have no problem
understanding multiple realms in a single credentials cache file, but
it wouldn't surprise me at all to find some programs that can't handle
this.

kinit from MIT Kerberos 5 version 1.2.5 is one of the programs that
can't handle multiple realms in a single credentials cache, but this
is by design:  the kinit(1) manpage says:

    Any existing contents of the cache are destroyed by kinit.

...and so of course the following sort of thing doesn't work:

mozi% kinit -c /ticket/krb5cc_5366 markmont at LSA.UMICH.EDU
Password for markmont at LSA.UMICH.EDU:
mozi% klist -5 /ticket/krb5cc_5366
Ticket cache: FILE:/ticket/krb5cc_5366
Default principal: markmont at LSA.UMICH.EDU

Valid starting     Expires            Service principal
07/31/03 11:22:18  07/31/03 21:22:22  krbtgt/LSA.UMICH.EDU at LSA.UMICH.EDU
mozi% kinit -c /ticket/krb5cc_5366 markmont at UMICH.EDU
Password for markmont at UMICH.EDU:
mozi% klist -5 /ticket/krb5cc_5366
Ticket cache: FILE:/ticket/krb5cc_5366
Default principal: markmont at UMICH.EDU

Valid starting     Expires            Service principal
07/31/03 11:22:38  07/31/03 21:22:38  krbtgt/UMICH.EDU at UMICH.EDU
mozi%

                Mark Montague
                LS&A Information Technology
                The University of Michigan
                markmont at umich.edu

More information about the Kerberos mailing list