krb5 library missing functions for collections

[Charles Hedrick]

Please be aware that I’m using Redhat’s KCM implementation in sssd. It’s supposed to be compatible with Heimdal’s, but based on documentation it appears that it may not be.

The default value of KRB5CCNAME is simply KCM:  It had better be user-specific, or everybody shares a collection.

geneva:~/kerberos> klist -A
Ticket cache: KCM:1000:737
Default principal: hedrick at CS.RUTGERS.EDU<mailto:hedrick at CS.RUTGERS.EDU>

Valid starting       Expires              Service principal
07/22/2019 12:35:34  07/22/2019 20:33:37  krbtgt/CS.RUTGERS.EDU at CS.RUTGERS.EDU<mailto:krbtgt/CS.RUTGERS.EDU at CS.RUTGERS.EDU>
renew until 07/16/2020 09:53:19

geneva:~/kerberos> setenv KRB5CCNAME KCM:1000
geneva:~/kerberos> klist
klist: No credentials cache found

geneva:~/kerberos> setenv KRB5CCNAME KCM:
geneva:~/kerberos> klist
Ticket cache: KCM:1000:737
Default principal: hedrick at CS.RUTGERS.EDU<mailto:hedrick at CS.RUTGERS.EDU>

Valid starting       Expires              Service principal
07/22/2019 12:35:34  07/22/2019 20:33:37  krbtgt/CS.RUTGERS.EDU at CS.RUTGERS.EDU<mailto:krbtgt/CS.RUTGERS.EDU at CS.RUTGERS.EDU>
renew until 07/16/2020 09:53:19

I don’t know how it’s implemented, but it behaves as if KCM:1000 is a specific cache, and only KCM: can access the whole collection.

Note that root can’t read other user’s caches, so in a daemon I have to use setreuid to change to a user and then look at KCM:

I get the same results on my Mac if I use a Macports port of MIT Kerberos. With the builtin utilies I can’t make KCM work at all.


On Jul 22, 2019, at 1:00 PM, Greg Hudson <ghudson at mit.edu<mailto:ghudson at mit.edu>> wrote:

The KCM daemon's namespace is machine-global, not uid-specific, and I
don't think doing setruid() would be visible to the daemon anyway (it
should see the euid of the client, not the ruid).