Behaviour of krb5 1.12

Greg Hudson ghudson at
Sat Jan 3 00:27:13 EST 2015

On 01/02/2015 05:35 PM, Markus Moeller wrote:
>    I lately changed from krb5 1.10 on OpenSuse 12.3 to krb5 1.12 on OpenSuse 
> 13.2 and wonder what is happening

The DIR ccache type was actually added in krb5 1.10, but presumably
OpenSUSE 12.3 wasn't using it by default, and OpenSUSE 13.2 is.

The basic expected behavior with the DIR ccache type is:

* kinit with a new principal name adds to the collection rather than
overwriting existing tickets.

* klist -l lists the caches in the collection.  klist -A lists
credentials in all caches in the collection.

* kswitch -p princname switches the primary cache.

* kdestroy -A destroys all caches in the collection.  kdestroy without
the -A option destroys only the primary cache.

* GSSAPI client applications typically use the primary cache, but can
access other caches if they request a specific client principal, if
configured to do so via the ~/.k5identity file, or based on the realm

I think your second invocation of socksify is choosing to use your
SUSE.HOME credentials to access a service in the SUSE.HOME realm (the
realm heuristic).  If this behavior is undesirable, there are a few

* Run kdestroy before running kinit with the new principal, effectively
disabling the collection behavior.

* Configure ~/.k5identity to choose the principal you want, if you can
define a fixed mapping from services to principals.  See the
k5identity(5) man page.

* Point KRB5CCNAME at the subsidiary cache you want to use (e.g.
DIR::/run/user/1000/krb5cc/tkt3a1A8Y).  We would like this to be easily
done via the kswitch command (e.g. "kswitch mm at WIN2003R2.HOME socksify
...") but we haven't implemented that yet.

More information about the Kerberos mailing list