TGT for principals getting destroyed automatically

Russ Allbery rra at
Fri May 3 11:47:59 EDT 2013

Greg Hudson <ghudson at MIT.EDU> writes:

> Prior to the 1.11 release, there is no config file setting for the
> default credential cache.  The only discovery mechanisms are the
> KRB5CCNAME environment variable (which is often set by the login system,
> if pam_krb5 is in use) and the hardcoded default of /tmp/krb5cc_NNNN.

> In the 1.11 release, the default credential cache can be specified in
> the [libdefaults] section of /etc/krb5.conf with the default_ccache_name
> variable.  The value is subject to parameter expansion as described here:


Note that if you're using a Kerberos PAM module, you will probably need to
separately configure its cache location, since most Kerberos PAM modules
don't use the library default.  The library default has been
/tmp/krb5cc_NNNN for ages, and that default cache naming doesn't allow for
a separate ticket cache per login session (which is normally the behavior
people want).  Therefore, most PAM modules have their own independent

For mine, for example:

    When pam_setcred() is called to initialize a new ticket cache, the
    environment variable KRB5CCNAME is set to the path to that ticket
    cache.  By default, the cache will be named /tmp/krb5cc_UID_RANDOM
    where UID is the user's UID and RANDOM is six randomly-chosen letters.
    This can be configured with the ccache and ccache_dir options.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list