Is KRB5_CONFIG info cached?
raeburn at MIT.EDU
Thu Jun 29 19:51:03 EDT 2006
On Jun 29, 2006, at 19:41, Mike Friedman wrote:
>> If these KDCs are for two different realms, can you list both
>> config files in KRB5_CONFIG?
> But then how do I get the *default realm* set correctly? In my
> script, I do a parse_name() to create a principal object
> corresponding to the TGS service principal (e.g., krbtgt/
> <realm>@<realm>). (It's this principal object that I must pass to
> get_in_tkt_with_password()). And, unfortunately, parse_name()
> complains if my config file doesn't have a default realm, so
> defining both realms in the [realms] stanza doesn't do me any good.
> But if I do define a default realm, then that's the KDC to which I
> get connected, regardless of the realm name I specify when
> constructing the TGS service principal name itself.
That sounds like a bug. If this is for getting initial tickets, and
you're specifying the non-default realm in both the client principal
name and the TGS service principal name, it should only contact that
non-default realm's KDC.
> But given that I get a new context each time, why can't I reset the
> value of KRB5_CONFIG on each call and have it be honored? This is
> the crux of the matter, apparently.
If you don't mind digging into the krb5 library code, change lib/krb5/
os/init_os_ctx.c:os_get_default_config_files or set a breakpoint in
gdb, and examine the result of calling getenv.
More information about the Kerberos