KRB5 ccache on MACOS
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Oct 11 09:04:59 EDT 2021
>It is
>
>#sw_vers
>ProductName: macOS
>ProductVersion: 11.6
>BuildVersion: 20G165
Alright, so, Big Sur.
There were significant changes in the credential cache support on Big Sur.
I didn't check for file cache support, but .... it looks like to me that
in fact Kerberos on Big Sur _does_ respect the KRB5CCNAME enviroment
variable:
% env KRB5CCNAME=FILE:/tmp/foo klist
Credentials cache: FILE:/tmp/foo
Principal: kenh at CMF.NRL.NAVY.MIL
[...]
Now it may be that gss_init_sec_context() may be doing something slightly
more magical. If that is the case ... well, I'm not sure there is an
easy fix for that.
You can share API credential caches; previously to Big Sur it used Mach Ports
for the IPC mechanism, and that was based on the Unix userid for access.
With the new mechanism, I am not sure how that works, exactly. Specifically
I do not know whether or not you can access one set of credentials from
another login session.
Regarding your problem with MIT Kerberos, I think your problem THERE is
that MIT Kerberos does not support the new credential cache mechanism on
Big Sur, and basically that error you are getting means "No credentials
found". I submitted a pullup request to add support for that, and it
is here:
https://github.com/krb5/krb5/pull/1221
If you apply that patch to MIT Kerberos, it might work better for you.
--Ken
More information about the Kerberos
mailing list