Is KRB5_CONFIG info cached?

Marcus Watts mdw at
Thu Jun 29 18:43:28 EDT 2006

Mike Friedman <mikef at> writes:
> Date: Thu, 29 Jun 2006 14:21:57 -0700 (PDT)
> From: Mike Friedman <mikef at>
> To: kerberos at
> Subject: Is KRB5_CONFIG info cached?
> In-Reply-To: <200606212039.k5LKdYDa013625 at>
> [I apologize for the length of this, but it's about a problem that is 
> proving to be very inscrutable and it needs some explanation].
> I'm doing some testing of code that authenticates against both an MIT K5 
> KDC and an Active Directory KDC.  I've written a perl subroutine that uses 
> Jeff Horwitz's Authen::Krb5 module, which seems to work fine for 
> individual authentications.
> However, here's my problem.  I need to call my subroutine twice from the 
> same perl script, once pointing to our MIT KDC and the second time 
> pointing to our campus AD KDC.  I control which KDC I'm using by 
> manipulating the 'KRB5_CONFIG' environment variable within my subroutine, 
> based on an argument from the caller that specifies the KDC to use.  And, 
> of course, depending on which KDC it is, I use a keytab file that was 
> generated on the appropriate KDC.

As long as the KDCs are in different realms, you ought to be able
to use one context, and one KRB5_CONFIG file, to access both.  It
doesn't matter if you normally use SRV records; if you put
explicit host information in your config file, kerberos will use
that; if you set [libdefaults] dns_fallback = false, you can
forbid it from even thinking about looking at DNS.
The kerberos server will not know or care whether you found it
via DNS or a config file.

As it happens, I've been using Jeff's code for some other stuff.

So, at a closer look at Jeff Horwitz's code, looks like he
expects Authen::Krb5::init_context().  He's got this
right before:
	if (context) croak("Authen::Krb5 already initialized");

So the first call you make to Authen::Krb5::init_context() will pick
up whatever's currently in KRB5_CONFIG, and you can't be making any
subsequent calls to that unless you're catching and discarding the
ensuing croak.  If you want to have fun, you can probably call
but that won't buy you anything unless you edit Krb5.xs and
add a "context = 0" after the krb5_free_context call.

				-Marcus Watts

More information about the Kerberos mailing list