Is KRB5_CONFIG info cached?

Ken Raeburn raeburn at MIT.EDU
Thu Jun 29 19:51:03 EDT 2006

On Jun 29, 2006, at 19:41, Mike Friedman wrote:
>> If these KDCs are for two different realms, can you list both  
>> config files in KRB5_CONFIG?
> But then how do I get the *default realm* set correctly?  In my  
> script, I do a parse_name() to create a principal object  
> corresponding to the TGS service principal (e.g., krbtgt/ 
> <realm>@<realm>).  (It's this principal object that I must pass to  
> get_in_tkt_with_password()).  And, unfortunately, parse_name()  
> complains if my config file doesn't have a default realm, so  
> defining both realms in the [realms] stanza doesn't do me any good.

krb5_set_default_realm ?

> But if I do define a default realm, then that's the KDC to which I  
> get connected, regardless of the realm name I specify when  
> constructing the TGS service principal name itself.

That sounds like a bug.  If this is for getting initial tickets, and  
you're specifying the non-default realm in both the client principal  
name and the TGS service principal name, it should only contact that  
non-default realm's KDC.

> But given that I get a new context each time, why can't I reset the  
> value of KRB5_CONFIG on each call and have it be honored?  This is  
> the crux of the matter, apparently.

If you don't mind digging into the krb5 library code, change lib/krb5/ 
os/init_os_ctx.c:os_get_default_config_files or set a breakpoint in  
gdb, and examine the result of calling getenv.


More information about the Kerberos mailing list