Please Review Changes to Windows Exports List for krb5 1.2.5 in KfW 2.2

Jeffrey Altman jaltman at
Tue Apr 16 11:28:01 EDT 2002

You can have multiple credential caches.  And that is fine.  The issue
is that I might not have credentials for the service the user wants to
connect to.  But the user can get them.  If I knew which realm the
user needed to authenticate to, then I can prompt the user to get the
correct credentials for the connection she wisheds to make.  But
without the ability to determine the correct realm I have to throw my
hands up in the arm.

> There is also a limitation in the MIT krb5 API in that each ccache (and
> I know very little about CCAPI, this may not apply to it) can only
> contain creds for one client principal, so even having multiple initial
> TGTs and complete trust information in krb5.conf, unless there is an API
> that takes multiple ccaches as input there is no way to do what you want
> with a single API call.
> But, so what? What's wrong with a loop trying each ccache you have?
> As long as the API can cache negative results and/or fully utilize
> krb5.conf trust information it should be able to avoid unnecessary KDC
> exchanges most of the time.
> As for the KRB5_SERVICE_UNKNOWN error, perhaps a new KRB5_NO_XREALM_PATH
> error would help.
> Nico
> On Mon, Apr 15, 2002 at 05:38:16PM -0400, Jeffrey Altman wrote:
> > I didn't say there was a way to do it today.  I just said that it is
> > what I want. 
> > 
> > What I am trying to avoid is the almost useless error:
> > 
> >   Server not found in realm 
> > 
> > when trying to authenticate with the wrong credentials.
> -- 
> -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> -to a public e-mail mailing list I hereby grant permission to distribute-
> -and copy this message.-
> Visit our website at
> This message contains confidential information and is intended only 
> for the individual named.  If you are not the named addressee you 
> should not disseminate, distribute or copy this e-mail.  Please 
> notify the sender immediately by e-mail if you have received this 
> e-mail by mistake and delete this e-mail from your system.
> E-mail transmission cannot be guaranteed to be secure or error-free 
> as information could be intercepted, corrupted, lost, destroyed, 
> arrive late or incomplete, or contain viruses.  The sender therefore 
> does not accept liability for any errors or omissions in the contents 
> of this message which arise as a result of e-mail transmission.  If 
> verification is required please request a hard-copy version.  This 
> message is provided for informational purposes and should not be 
> construed as a solicitation or offer to buy or sell any securities or 
> related financial instruments.

 Jeffrey Altman * Sr.Software Designer      Kermit 95 1.1.21  available now!!!
 The Kermit Project @ Columbia University   SSH plus Telnet, FTP and HTTP             secured with Kerberos, SRP, and 
 kermit-support at                OpenSSL.

More information about the krbdev mailing list