KRB5CCNAME is not reread

Stephen Frost sfrost at snowman.net
Thu Feb 2 20:54:09 EST 2006 

* Jeffrey Altman (jaltman2 at nyc.rr.com) wrote:
> Russ Allbery wrote:
> > "Brian C DeRocher" <brian.derocher at mitretek.org> writes:
> >> They have the form /tmp/krb5cc_apache_xxxxxx.  Each web request has a
> >> different suffix.  However mod_php stays in memory.  It appears that
> >> libkrb5 doesn't check if KRB5CCNAME has changed.
> > 
> > mod_php would need to close and reopen the ticket cache, I believe, to
> > pick up the change in the default ticket cache name.
> 
> KRB5CCNAME is an environment variable that is used by the krb5 library
> to obtain the "default" credential cache name.   This is used when the
> application chooses to open the default credentials cache.  The
> application passes a handle to the credential cache to the library with
> each call.  If the credential cache needs to be changed, it is the
> responsibility of the application to make that decision.

Fair enough, so perhaps PostgreSQL isn't doing something quite right.
Here's what it's doing inside PQconnectdb() wrt krb5, in a nutshell:

----------------------------
krb5_init_context(&pg_krb5_context);
krb5_cc_default(pg_krb5_context,&pg_krb5_ccache);
krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache, &pg_krb5_client);
krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name);
krb5_sname_to_principal(pg_krb5_context, hostname, servicename,
	KRB5_NT_SRV_HST, &server);
krb5_sendauth(pg_krb5_context, &auth_context, &sock, servicename,
	pg_krb5_client, server, AP_OPTS_MUTUAL_REQUIRED, NULL, 0,
	pg_krb5_ccache, &err_ret, NULL, NULL);
krb5_free_principal(pg_krb5_context, server);
----------------------------

It doesn't appear to do anything wrt krb5 in PQfinish().

Now, between the two PQconnectdb() calls the KRB5CCNAME environment
variable changes, which means that it's different between the first
krb5_cc_default() call and the second, yet the second call doesn't seem 
to notice this.  It looks like pg_krb5_ccache is actually a static
variable- if that's not empty when krb5_cc_default() is called does
krb5_cc_default() just leave it as-is?  Looking at this more closely I'm
starting to think the problem is with PostgreSQL after all. :/

	Thanks for the comments,

		Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20060202/bbc91c68/attachment.bin

More information about the Kerberos mailing list