macOS API ccache, kinit for multiple principals gives internal credentials cache error

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Feb 17 20:09:36 EST 2025 

Thanks for digging into this!

>* cc_context_create_new_ccache returned 2529639136.  There we go.

Well, THAT is frustrating.  You can see more about the actual API
by looking at:

$(xcrun --show-sdk-path)/System/Library/Frameworks/Kerberos.framework/Headers/CredentialCache.h

But the official errors from those functions start at 201 and only go up
to around 230.  That's probably one of those OSError codes.  Sigh.

>It took me some work, but I eventually realized that 
>cc_context_create_new_ccache wasn't an actual function, and was 
>resolving to the Kerberos Framework's context_create_new_ccache.

Right, this is detailed in the header file; it's really this macro:

#define         cc_context_create_new_ccache(context, version, principal, ccache) \
                        ((context) -> functions -> create_new_ccache (context, version, principal, ccache))

>I'm not sure how to debug macOS Frameworks.  I tried single-stepping 
>through assembly, and I noticed execution was making it through the 
>Kerberos Framework and into the Heimdal Framework.  And then back into 
>MIT Kerberos code‽  I think the first parameter is a struct with a ton 
>of pointers, and that's being passed around.

Oof, this is "fun", because a lot of those frameworks like to make
Objective-C calls and send IPC messages that wait for callbacks.  It's
a pain.

However, some suggestions here.  You can get a fair amount of the source
code for these pieces from opensource.apple.com (go under "View Releases").
The latest OS release is 15.2, but it doesn't sound like there were
changes that affected this behavior.  You want the "Heimdal" and
"MITKerberosShim" packages.

It looks like this is in the MITKerberosShim package, specifically
ccache.c.  And it looks like it calls the macro LOG_FAILURE(), which
calls the function mshim_failure(), in misc.c.  It looks like THAT might
turn on logging if you create the preference file

/Library/Preferences/com.apple.MITKerberosShim

and in it set "EnableDebugging" to "true" (looks like it logs via
syslog()).

Inside of context_create_new_ccache(), it calls:

heim_krb5_parse_name
heim_krb5_cc_new_unique
heim_krb5_cc_initialize

So one of those is failing and I think the log information will tell you
which one.  From THERE ... well, there's a lot of squinting at the source
code and seeing which function you're in to try to determine what is
happening.  It looks like you're mostly in open-source bits so I think
it is possible to get much closer to the issue.

I really don't understand why I can't reproduce this here, though.  Rather
frustrating!  I created a second test principal in our realm to see if
that is the issue, and I can kinit as two different principals just
fine.

--Ken

More information about the Kerberos mailing list