Need help: How to use different caches for TGT and TGS.
Greg Hudson
ghudson at mit.edu
Thu Dec 13 15:29:28 EST 2018
On 12/13/2018 12:00 AM, Santosh Kumar wrote:
> Have default TGT in default cache location /tmp/krb5cc_36073 .
>
> How to get TGS and store in different cache , but use TGT from default
> cache location?
MIT krb5 doesn't have an option for this in kvno. You could of course
copy the ccache containing the TGT and point kvno at the copy, but if
the goal is to produce a ccache that doesn't contain the TGT, that's not
helpful. You could alternatively use "kinit -S servicename" to bypass
getting a TGT entirely.
From a code perspective, you can do what you want by passing
KRB5_GC_NO_STORE to krb5_get_credentials(), then explicitly resolving
the target ccache (krb5_cc_resolve()), initializing it with the client
principal (krb5_cc_initialize()), and storing the cred returned by
krb5_get_credentials(). That's what Heimdal's kgetcred does in
essence--it uses a fancier krb5_get_creds_opt interface to pass
KRB5_GC_NO_STORE, and MIT krb5 doesn't have that, but the option can
simply be passed in the flags parameter.
More information about the Kerberos
mailing list