Need help: How to use different caches for TGT and TGS.

Greg Hudson ghudson at mit.edu
Thu Dec 13 15:29:28 EST 2018


On 12/13/2018 12:00 AM, Santosh Kumar wrote:
> Have default TGT in default cache location /tmp/krb5cc_36073 .
> 
> How to get TGS and store in different cache , but use TGT from default
> cache location?

MIT krb5 doesn't have an option for this in kvno.  You could of course 
copy the ccache containing the TGT and point kvno at the copy, but if 
the goal is to produce a ccache that doesn't contain the TGT, that's not 
helpful.  You could alternatively use "kinit -S servicename" to bypass 
getting a TGT entirely.

 From a code perspective, you can do what you want by passing 
KRB5_GC_NO_STORE to krb5_get_credentials(), then explicitly resolving 
the target ccache (krb5_cc_resolve()), initializing it with the client 
principal (krb5_cc_initialize()), and storing the cred returned by 
krb5_get_credentials().  That's what Heimdal's kgetcred does in 
essence--it uses a fancier krb5_get_creds_opt interface to pass 
KRB5_GC_NO_STORE, and MIT krb5 doesn't have that, but the option can 
simply be passed in the flags parameter.


More information about the Kerberos mailing list