macOS API ccache, kinit for multiple principals gives internal credentials cache error

A. Karl Kornel karl at kornel.us
Tue Feb 18 14:05:10 EST 2025 

On 2025-02-17 05:09 PM, Ken Hornstein wrote:

> Thanks for digging into this!

You're welcome!  It's been an interesting experience.

> <<<snip>>>
>> It took me some work, but I eventually realized that
>> cc_context_create_new_ccache wasn't an actual function, and was
>> resolving to the Kerberos Framework's context_create_new_ccache.
> 
> Right, this is detailed in the header file; it's really this macro:
> 
> #define         cc_context_create_new_ccache(context, version, 
> principal, ccache) \
> ((context) -> functions -> create_new_ccache (context, version, 
> principal, ccache))

Yup, that's what I discovered.

> <<<snip>>>
> However, some suggestions here.  You can get a fair amount of the 
> source
> code for these pieces from opensource.apple.com (go under "View 
> Releases").
> The latest OS release is 15.2, but it doesn't sound like there were
> changes that affected this behavior.  You want the "Heimdal" and
> "MITKerberosShim" packages.

I had found the Heimdal software on 
http://github.com/apple-oss-distributions/Heimdal.  I did not think to 
look for anything else, but indeed, there it is on GitHub at 
https://github.com/apple-oss-distributions/MITKerberosShim.

> It looks like this is in the MITKerberosShim package, specifically
> ccache.c.  And it looks like it calls the macro LOG_FAILURE(), which
> calls the function mshim_failure(), in misc.c.  It looks like THAT 
> might
> turn on logging if you create the preference file

When I was stepping through assembly, LLDB was able to give me symbol 
names from the Frameworks, and I recognize `mshim_failure` in that list.

> /Library/Preferences/com.apple.MITKerberosShim
> 
> and in it set "EnableDebugging" to "true" (looks like it logs via
> syslog()).
> 
> Inside of context_create_new_ccache(), it calls:
> 
> heim_krb5_parse_name
> heim_krb5_cc_new_unique
> heim_krb5_cc_initialize
> 
> So one of those is failing and I think the log information will tell 
> you
> which one.  From THERE ... well, there's a lot of squinting at the 
> source
> code and seeing which function you're in to try to determine what is
> happening.  It looks like you're mostly in open-source bits so I think
> it is possible to get much closer to the issue.

Got it.  I'll remember that, in case it's needed.

~ Karl

More information about the Kerberos mailing list