macOS API ccache, kinit for multiple principals gives internal credentials cache error
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Feb 17 21:36:07 EST 2025
>Thanks for digging into this!
>
>>* cc_context_create_new_ccache returned 2529639136. There we go.
Following up to myself ... I realized this actually might be a krb5
error code in unsigned form. 2529639136 is -1765328160 as a signed 32
bit integer, and THAT is:
% find . -type f -print0 | xargs -0 grep -- -1765328160
./MITKerberosShim-MITKerberosShim-87/Kerberos/krb5.h:#define KRB5_CONFIG_NODEFREALM (-1765328160L)
There's a few spots that might actually return that:
% find . -type f -print0 | xargs -0 grep KRB5_CONFIG_NODEFREALM
./Heimdal-Heimdal-693.60.3/lib/krb5/krb5_err.et:error_code KRB5_CONFIG_NODEFREALM, "Configuration file does not specify default realm"
./Heimdal-Heimdal-693.60.3/lib/krb5/get_default_realm.c: return KRB5_CONFIG_NODEFREALM;
./Heimdal-Heimdal-693.60.3/lib/krb5/get_default_realm.c: krb5_set_error_message(context, KRB5_CONFIG_NODEFREALM,
./Heimdal-Heimdal-693.60.3/lib/krb5/get_default_realm.c: return KRB5_CONFIG_NODEFREALM;
./Heimdal-Heimdal-693.60.3/lib/krb5/verify_user.c: ret = KRB5_CONFIG_NODEFREALM;
First, do you have a default_realm set in /etc/krb5.conf ? Maybe that
would fix it, and that would explain why it works for me.
In api_macos_gen_new(), we call cc_context_create_new_ccache() with:
err = cc_context_create_new_ccache(cc_context, cc_credentials_v5, "",
&cc_ccache);
The third argument is supposed to be the principal name, and I thought
"" was valid, but maybe technically it isn't, especially if you don't
have a principal name defined?
What to put in there is a bit of a puzzle, as in that API call we don't
have access to a principal name. I suspect anything that looks like
a valid Kerberos principal would work fine. Might have to look at
what others do in this situation.
--Ken
More information about the Kerberos
mailing list