Trouble Accessing API Credential Cache in C++ Kerberos Integration on macOS

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue Oct 31 09:09:35 EDT 2023


>I’m working on integrating kerberos authentication to my c++
>app. I’m developing on macos where the default credential cache is
>of type API:.  Initializing a credential cache with KCM: results in
>a deprecation warning asking to use API: instead. My problem in the
>c++ app is that I cannot find any way to access the API: cache to use
>the (valid) credentials that are stored in it. The context is always
>using the KCM cache.  Specifying the default name before trying the
>gss_init_sec_context doesn’t help… If I use the brew version of krb5
>(which is MIT instead of Heilmdal-apple I believe?) AND specifying the
>KCM cache, I manage to correctly initialize the security context. Thus
>my question: is there a way to use the default cache used by the default
>kinit on macos when coding with the MIT Kerberos and gss api?

In _general_ (and this is also true on MacOS X) if you simply take the
defaults you'll get the correct credential cache.  Without doing any
GSSAPI gyrations the 'normal' way the default credential cache is found
is via the KRB5CCNAME environment variable and possibly the Kerberos
configuration file.

The situation on MacOS X is more complicated; normally you would never
use KCM: as a credential type there (definitely not with the Apple
Kerberos libraries).  For a while KCM: would work _if_ you were linking
against MIT Kerberos libraries (and KCM would be the default if you
used MIT Kerberos, but normally you wouldn't have to explicitly specify
it).  But as of Big Sur there was a change in the Heimdal Kerberos
libraries and the API credential cache was no longer interoperable with
the MIT Kerberos KCM credential cache.  I submitted patches to MIT
Kerberos to interoperate with the Apple credential cache and they are
in the latest version of MIT Kerberos available via brew (1.21.2).
In that code it uses API: as the 'correct' credential cache name.

So what I would say is:

- Only in rare circumstances (older MIT Kerberos and pre-Big Sur OS X)
  should you use KCM:
- Normally you shouldn't specify the default credential cache at all
  and the 'right' thing should happen

If you give us more specifics on Kerberos and OS X versions we could work
out the details.

--Ken


More information about the Kerberos mailing list