OS X 10.2 console apps

Alexandra Ellwood lxs at MIT.EDU
Tue Sep 24 11:28:00 EDT 2002

>A couple of questions:
>1) Has anyone gotten the new kswitch app to work with the -c
>parameter?  (This is the one that tells it to use a different cache.)
>When I specify any API style cache other than the default
>('API:Initial default ccache'), I get the error message "No
>credentials cache named [name]."  When I specify a FILE style cache I
>get the same message, even if the file exists and is a valid ticket
>cache (created for example by the Heimdal kinit).

kswitch only modifies the CCAPI ccache name.  There is no UI support 
in Mac OS X 10.2 for ccaches other than CCAPI-based ccaches.  You 
can, of course, specify a krb5 memory or file based cache 
programmatically if you so desire.

>Is the -c switch simply "not yet implemented"?

The -c option works fine for me.  Note that the first ccache is named 
"Initial default ccache" and then subsequent ccaches are "0", "1", 
etc.  Use "klist -A" to list all the ccaches in your credentials 
cache.  kswitch will take the ccache name with or without the krb5 
"API:" prefix.

If it continues to fail for you, could you please send the output of 
"klist -A" and the output of kswitch failing.

>2) None of the console apps (kinit, klist, kdestroy) appear any longer
>to support the KRB5CCNAME environment variable.  (As recently as OS X
>10.1, you could use this variable to specify the name/path of the
>ticket cache.)

Yes, this is intentional.  On Mac OS X, we treat kinit, klist, 
kdestroy, kpasswd and kswitch as the command-line equivalents of the 
Kerberos application.  They should provide the same functionality.

We felt that having an environment variable which controlled some 
Kerberos applications but not others would be confusing to the user. 
Since KRB5CCNAME is not shared between GUI applications, setting 
KRB5CCNAME changes the behavior of command line applications, but not 
Mail.app, Fetch, or any of the other GUI applications.  This would 
also result in a user seeing different "current credentials" in klist 
and the Kerberos application.

In addition, kswitch switches both krb4 and krb5 caches 
simultaneously (they are paired by principal in the CCAPI).  Using 
environment variables forces users to set both KRB5CCNAME and 
KRBTKFILE.  This can be confusing at some sites since users may not 
know which programs use krb4 and which use krb5.

Of course any applications which check KRB5CCNAME via library 
routines will continue to use it.  So you can use klist -A to get the 
ccache name, set KRB5CCNAME and then your Unix-style command line 
applications will use that ccache.  In this manner you can set up one 
Terminal.app window which uses one set of credentials and one which 
uses another.

Hope this helps,

Alexandra Ellwood                                               <lxs at mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/

More information about the krbdev mailing list