Behaviour of krb5 1.12

Markus Moeller huaraz at
Sat Jan 3 08:26:03 EST 2015

Hi Greg,

   Thank you very much for the explanation. I should read more often the 
updates to the versions.


"Greg Hudson"  wrote in message news:54A77DB1.6090502 at

On 01/02/2015 05:35 PM, Markus Moeller wrote:
>    I lately changed from krb5 1.10 on OpenSuse 12.3 to krb5 1.12 on 
> OpenSuse
> 13.2 and wonder what is happening

The DIR ccache type was actually added in krb5 1.10, but presumably
OpenSUSE 12.3 wasn't using it by default, and OpenSUSE 13.2 is.

The basic expected behavior with the DIR ccache type is:

* kinit with a new principal name adds to the collection rather than
overwriting existing tickets.

* klist -l lists the caches in the collection.  klist -A lists
credentials in all caches in the collection.

* kswitch -p princname switches the primary cache.

* kdestroy -A destroys all caches in the collection.  kdestroy without
the -A option destroys only the primary cache.

* GSSAPI client applications typically use the primary cache, but can
access other caches if they request a specific client principal, if
configured to do so via the ~/.k5identity file, or based on the realm

I think your second invocation of socksify is choosing to use your
SUSE.HOME credentials to access a service in the SUSE.HOME realm (the
realm heuristic).  If this behavior is undesirable, there are a few

* Run kdestroy before running kinit with the new principal, effectively
disabling the collection behavior.

* Configure ~/.k5identity to choose the principal you want, if you can
define a fixed mapping from services to principals.  See the
k5identity(5) man page.

* Point KRB5CCNAME at the subsidiary cache you want to use (e.g.
DIR::/run/user/1000/krb5cc/tkt3a1A8Y).  We would like this to be easily
done via the kswitch command (e.g. "kswitch mm at WIN2003R2.HOME socksify
...") but we haven't implemented that yet.
Kerberos mailing list           Kerberos at 

More information about the Kerberos mailing list