KRB5 ccache on MACOS

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Oct 11 09:04:59 EDT 2021


>It is
>
>#sw_vers
>ProductName:    macOS
>ProductVersion: 11.6
>BuildVersion:   20G165

Alright, so, Big Sur.

There were significant changes in the credential cache support on Big Sur.
I didn't check for file cache support, but .... it looks like to me that
in fact Kerberos on Big Sur _does_ respect the KRB5CCNAME enviroment
variable:

% env KRB5CCNAME=FILE:/tmp/foo klist                      
Credentials cache: FILE:/tmp/foo
        Principal: kenh at CMF.NRL.NAVY.MIL
[...]

Now it may be that gss_init_sec_context() may be doing something slightly
more magical.  If that is the case ... well, I'm not sure there is an
easy fix for that.

You can share API credential caches; previously to Big Sur it used Mach Ports
for the IPC mechanism, and that was based on the Unix userid for access.
With the new mechanism, I am not sure how that works, exactly.  Specifically
I do not know whether or not you can access one set of credentials from
another login session.

Regarding your problem with MIT Kerberos, I think your problem THERE is
that MIT Kerberos does not support the new credential cache mechanism on
Big Sur, and basically that error you are getting means "No credentials
found".  I submitted a pullup request to add support for that, and it
is here:

	https://github.com/krb5/krb5/pull/1221

If you apply that patch to MIT Kerberos, it might work better for you.

--Ken


More information about the Kerberos mailing list